:: Re: [devuan-dev] [PATCH] (security)…
Top Page
Delete this message
Reply to this message
Author: Evilham
Date:  
To: devuan developers internal list
CC: dng
Subject: Re: [devuan-dev] [PATCH] (security) launcher: don't attempt to execute arbitrary binaries
Hello Enrico,

On dt., gen. 07 2020, Enrico Weigelt wrote:

> What might supposed to be convenience functionality, poses a
> real-life
> security threat:
>
> A user can be tricked be tricked to download malicious code,
> unpack it with
> +x permissions (eg. via tar) and execute it by just clicking on
> the icton.
> In combination with other techniques (eg. homoglyphs), even more
> experienced
> users can be tricked "open" some supposedly harmless file type,
> while Thunar
> in fact executes a binary - with full user's privileges. (the
> same approach
> is one of the primary infection vectors used by thousands of
> malwares in
> Windows world, which already caused gigantic damages).
>
> Therefore introduce a new setting and only execute programs if
> explicitly
> enabled.



That's great!

Have you tried poking Thunar's developers into merging such a
feature?
This is where the developers would like such things:
https://docs.xfce.org/xfce/thunar/bugs

It'd really be the best place for a setting like this to land and
benefit all Thunar users out there (which are not limited to
Debian-like or even Linux, but also include the BSDs).

Cheers!
--
Evilham