Comment 14Q Re: Working as intended

Story

Lack of GUI Isolation as Linux security flaw

Preview

Working as intended (Score: 3, Insightful)

by bryan@pipedot.org on 2014-04-18 21:56 (#14E)

She's describing expected behavior. I don't see anything resembling "an inherent security flaw" in either X or Windows. If you don't trust the programs running in your user environment, you surely shouldn't expect additional security in an elevated privilege window inside that environment.

Also, the part about Windows doing anything different is complete BS. The article "Running Vista Every Day!" shows her clear lack of understanding on what UAC is doing.

Re: Working as intended (Score: 5, Interesting)

by genkernel@pipedot.org on 2014-04-19 16:40 (#14N)

Eh, I disagree. It is expected behavior, and it is indeed well known. Nonetheless, it is wrong. An application with user privilege should never have such complete control of an application running with root privileges in a sane, secure environment. Allowing that is asking for privilege escalation. The fact that input information is made so readily available to otherwise unrelated programs just makes it worse.

Back in ~2009 there was a bit of a stir involving the sheer ease of getting the window managers KDE and GNOME to run unintended programs using .desktop files . As far as I can tell, it still works. This is a real problem, with potentially nasty consequences.

Re: Working as intended (Score: 3, Insightful)

by bryan@pipedot.org on 2014-04-20 02:54 (#14Q)

Interestingly, the Thunar file manager under xfce (Xubuntu 8.10) is doing something that Gnome's and KDE's file managers are not doing: It will flag the desktop launcher file as potential malware and thus prevent execution via a simple click.
XFCE ftw! And that was back in 2008!

Moderation

Time Reason Points Voter
2014-04-28 19:56 Insightful +1 genkernel@pipedot.org
2014-04-21 12:28 Funny +1 nightsky30@pipedot.org

Junk Status

Not marked as junk