Re: [PATCH] Remove absolute paths from gpg.rc
On Tue, Mar 20, 2007 at 07:28:36AM +0000, Dave wrote:
> On Mon, Mar 19, 2007 at 11:51:37PM -0400, Derek Martin wrote:
> > I'd also really like to see a configure option for mutt refuse to
> > run binaries in directories where the user has write access,
> I think that's a useful option.
it sort of defeats ~/bin.
the most secure solution is already the default: no sane program (except
the linker) creates/saves files with an executable bit set. this is a
conscious decision of the user - at the point where it is not, the
security was already compromised.
> > enabled by default, but whatever.
> Again, it shouldn't be enabled by default, unless the user has already
> informed his OS that he'd like the system to go out of its way to
> protect him. (Such a flag might also signal rm(1) to do -i by
> default, for example.)
this "user is [security wise] clueless" flag sounds a lot like the
concept of user expertize levels in general. a lot has been said why
this is a bad idea. check the kde-usability@xxxxxxxxxxxxx archive.
derek's approach is counterproductive: users will always invent creative
ways of compromising security, and are even more motivated to do so if
the system behaves non-predictably (unix incompatible, as you say it).
otoh, most users *are* idiots (yes, even the unix users - most corporate
users don't choose their environment, and the raising numbers of private
linux users doesn't exactly help, either), and even the most security
conscious ones make mistakes. when weighting the convenience of the
users against the future of a company and possibly thousands of
secondary victims, the decision is pretty clear. if there only wasn't
the previous paragraph ...
so the key is to design security in a way that does not get in the way
of the users, so they don't try to work around it. an essential part of
that design is educating the users, btw. wow, that's what i call stating
regarding the umask i can only say that i never liked it - it's way too
broad and it always gets in the way. i determine default permissions by
putting stuff in the right directory ...
regarding the paths, i'm strictly against hard-coding anything in
the binary. i can accept absolute paths determined at configure time in
the default config, but i don't think it is an advantage of any kind.
Hi! I'm a .signature virus! Copy me into your ~/.signature, please!
Chaos, panic, and disorder - my work here is done.