[sugar] [OLPC Security] preliminary [PATCH] and discussion for #5657: activity isolation for all activities in ~/Activities

Jameson "Chema" Quinn jquinn
Fri Aug 1 18:48:24 EDT 2008


On Fri, Aug 1, 2008 at 4:01 PM, C. Scott Ananian <cscott at laptop.org> wrote:

> On Fri, Aug 1, 2008 at 5:01 PM, Jameson Chema Quinn
> <jquinn at cs.oberlin.edu> wrote:
> > Problem: anything named "Journal", "Terminal", "Log", or "Analyze" is not
> > isolated. This is the biggest security hole we have right now: it is a
> > trivial way for any activity to get root access.
>
> Another possible short-term hack is to simple disable
> activitybundle.install() and activitybundle.upgrade() for bundes with
> bundle_ids matching those of Journal, Terminal, Log, or Analyze.  This
> allows these activities to be installed in /home/olpc/Activites with a
> customization key, as usual, but prevents malicious attackers from
> using a web link or the activity updater to replace the
> originally-installed versions.
>
> This has the benefit of (a) not requiring us to revisit the
> "activities in /home" war, and (b) allowing us to upgrade the versions
> of these trusted activities in /home in (say) 9.1, using the "proper"
> mechanism.
>  --scott
>

I like this idea. Of course, it means that can install using "cp -r",
including installing a trojan activity which does not *look* like Terminal.

... My patch has activities requesting P_ROOT in activity.info. Could we
simply refuse to do a normal install for such activities? We could even keep
a list of them, and not respect what's not on the list, and only update the
list on a keyed install. This is not as secure as signatures, because a
sneaky attack could still modify the contents of an installed activity, but
it is getting pretty close.

Jameson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.laptop.org/pipermail/sugar/attachments/20080801/17ee8c6e/attachment-0001.htm 



More information about the Sugar-devel mailing list