[Sugar-devel] [FEATURE] [DESIGN] Frame Panels

Michael Stone michael at laptop.org
Thu Dec 17 11:39:29 EST 2009


>>> Yes, but what about security? Right now the shell process only
>>> executes code in /usr, executing activities in a separate process.
>
>> Executing activities in separate processes provides no security
>> benefit unless the resulting processes are in some way isolated from the rest
>> of the system.
>
>Maybe I'm missing something here, but /usr read-only to the user, thus
>isolated from the running Sugar shell. Only root can add and modify
>extensions.

A couple of points for you:

   * I'm still working from the statement of end-user security goals outlined in
     Bitfrost.

   * Access to root is usually unnecessary for violating these security goals.
     Access to any of ~/.bashrc, ~/.xsession, ~/bin, /tmp, ".", ~/Desktop, the
     browser cookie store, the X server, or the network usually suffices.

   * Access to one process of uid A gives access to essentially all processes of
     uid A via ptrace(). ptrace() also makes it quite easy to hide what's going
     on.

   * You need to worry about both malicious extensions and benign-but-vulnerable
     extensions. You als need to worry about them in different ways.

Are we still talking past one another?

Regards,

Michael


More information about the Sugar-devel mailing list