[Sugar-devel] A security vs. functionality question

Benjamin M. Schwartz bmschwar at fas.harvard.edu
Thu Aug 6 14:28:16 EDT 2009


Dear Educators and Engineers,

To educators:
How concerned are you about a feature that allows one student to invite
others to play on their computer?  Remote access is only granted if the
user chooses to share a specific activity.  The effect is similar to
letting someone walk over and type on your keyboard.

To engineers:
Is sharing an activity a sufficient indication of intent from the user to
execute a potentially dangerous action, such as sharing Terminal on a
public collaboration server?  To activate a remote VNC client in Gnome,
users must fill out this settings panel:
http://www.bani.com.br/wp-content/uploads/2007/11/vino-p-g.png .  Unlike
an Activity, though, once those settings are made, the desktop is
permanently shared.  An Activity can easily be stopped by a single click
at any time.

Background:
I have been working on a shareable version of the Terminal activity,
called ShareTerm.  The sharing functionality allows two people to type at
the same command prompt.  There is a spectrum of uses for this, from "a
friend who knows more than I do showing me how to use the command shell"
to "an expert developer performing remote debugging (while I observe and
try to understand what is going on)".

The critical issue with a shared terminal is security.  If I share my
terminal with you, then you gain the full power of that terminal.  On an
XO, running ShareTerm, this is safe enough.  Thanks to Rainbow, the
ShareTerm prompt has very limited access to the system, so participants
cannot "break the computer".  This limited access also prevents a lot of
legitimately useful and educational actions, such as performing expert
maintenance or debugging.

On SoaS Strawberry, and every other portable Sugar implementation of which
I am aware, Rainbow is not present, and so ShareTerm is just as dangerous,
and useful, as inviting someone over to type on your keyboard.

If this functionality were added to the Terminal activity, then the
behavior on the XO would match the behavior described for SoaS.

What do you think we should do?

One possibility that has occurred to me is to permit unsafe sharing only
with users who have already been designated as Buddies.  Instead of "Share
with My Neighborhood", the toolbar would only offer "Share with My Friends".

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
Url : http://lists.sugarlabs.org/archive/sugar-devel/attachments/20090806/d4481f41/attachment.pgp 


More information about the Sugar-devel mailing list