[Emotional] So I got curious if a simple archive can screw me over...

Chat about Linux in general
User avatar
thx-1138
Level 8
Level 8
Posts: 2094
Joined: Fri Mar 10, 2017 12:15 pm
Location: Athens, Greece

Re: [Emotional] So I got curious if a simple archive can screw me over...

Post by thx-1138 »

...since you mentioned, Collabora already uses Rust for certain Gstreamer plugins as far as i'm aware.
But if we're gonna pull the usual semi-cliched..."re-write the kernel in Rust - C is old & sucks!" line of thought here...
Reddit is full of such 'debates' i'd believe :mrgreen:

smurphos is certainly not wrong above (why would he be)?
Not every malware author wants to be 'obvious', which would be the case if it encrypted $HOME as soon as possible.
A smart malware can very much well 'wait' to actually do it's tricks,
and have it's actual workflow / main body of instructions triggered much later on.
Such trigger could be whatever further common user interaction (eg. like making a copy of a launcher).
Good things come to those who wait after all... :)

smurphos is also further absolutely right in the...
...ramifications on fixing it fully on UX - this isn't just a File manager issue,
it could potentially affect any part of the system that use the .desktop spec...
...An additional ExecHash= key to the .desktop spec could work wonders.
Compare value there eg. with contents under /var/lib/dpkg/info/ before running Exec= line.
Since hashes would already be 'known' to the system for already pre-installed packages, you'd also avoid annoyances like:
"...installing a new distro and then being presented with a dialog the first time,
you try and fire up Firefox from the menu asking the user if they trust the launcher
..."

Ie. essentially extend the .desktop mechanism to further act, up to a certain point,
as a layer of 'protection' from quickie-double-clickie-clickie end-users.
Unless something is actually installed (root access), but only locally unpacked,
.desktop files by default get to execute...nothing without manual review & explicit permission.

My point being in short, is that i don't really think the 'location' or 'copy' thereof is really the culprit here.
Problem is, contents in Exec= line can be almost anything...and not verified.

Nothing overkill in the slightest above: end-user obviously can still launch script / exe directly if that's what's desired.
If he/she does so without examining such first though, in a zomg-ho-hum-launch-photon-torpedoes manner...
yeah, well, what can we do now: there's no cure for human pebkac.

...Here i will certainly agree with rene though: although all of this is...ahem, 'nice' in theory,
and if nothing else, plenty of cool ideas & suggestions could be made...if history is an indicator, then:
no, please don't propose such. I'm fairly confident gnome / freedesktop & friends,
would eventually pull some kind of Theo-de-Raadt style security paranoia,
and 'we' would end up with something 10x more convoluted / broken than desired... :)

I mean, there's a reason i mentioned the 'can't launch my own pie exes' opposite-style ridiculousness above...

rene
Level 16
Level 16
Posts: 6266
Joined: Sun Mar 27, 2016 6:58 pm

Re: [Emotional] So I got curious if a simple archive can screw me over...

Post by rene »

thx-1138 wrote:
Sat May 30, 2020 8:20 am
An additional ExecHash= key to the .desktop spec could work wonders.
Although I'm myself in the end only mildly interested in the issue itself, "we" already seem to have all that is needed do we not? I.e., as far as I can see trusted state of a .desktop file is kept as to it external metadata, gio set nonmalware.desktop "metadata::trusted" yes. If trusted state was to be determined as either the .desktop file residing in a system directory or said metadata being set on it, i.e., the user having needed to explicitly trust it, and if said state would determine whether or not the file manager would ever display (still only in a "desktop view mode" as far as I'm concerned, but whatever) the by the .desktop relayed name/icon rather than the actual .desktop filename and a .desktop icon, then why are we not done?

And now that you made me look I'm in fact quite unsure why this does not seem to work currently: why I can have malware.desktop display as CV.pdf without ever having explicitly trusted the .desktop fle other than seemingly through marking it executable. I.e., what's the point of this current "trusted" mechanism in the first place if things don't work in this manner (non-rhetorical)?

[EDIT] Partly never mind: you guys were talking about overwriting the .desktop file. Not sure a to the very .desktop file internal ExecHash works for that but I take it this is to say that that current GIO "trusted" mechanism doesn't defend against this with its own stored hash or similar. Yah, well, maybe it should then? I mean, yah, ...

t42
Level 3
Level 3
Posts: 148
Joined: Mon Jan 20, 2014 6:48 pm

Re: (non-emotional) So I got curious if a simple archive can screw me over...

Post by t42 »

Vulnerabilties based on double-clicking on documents in hope to open some nameless application will last forever. So few are those who open an application first and then go to "Open File" dialog, all others go to Limbo at some point.
A real newbie would step into the trap without realizing or realizing only once some damage has been achieved.
Still I modified a little an Exec= line and double-click-deleted full content of my home folder including ~/.gnupg. It was fast and funny :) . Anyway you can easily come up with dozens of sed actions inside home to damage or compromise system. Home is intrinsically insecure ... Leave alone our Nemo...
Last edited by t42 on Sun May 31, 2020 3:57 am, edited 1 time in total.
-=t42=-

lamefun
Level 1
Level 1
Posts: 25
Joined: Fri Jun 02, 2017 2:15 pm

Re: [Emotional] So I got curious if a simple archive can screw me over...

Post by lamefun »

thx-1138 wrote:
Sat May 30, 2020 8:20 am
But if we're gonna pull the usual semi-cliched..."re-write the kernel in Rust - C is old & sucks!" line of thought here...
In my mind, "C vs Rust" is much like "telnet vs SSH" - the former in both cases is much simpler and is perfectly usable, but doesn't take into account the fact that, well, evil exists. Truth-seers try to spread this truth, and deniers, well, deny it, that's why it's so cliched...

Edit: I forgot to mention that C can't even be called simple anymore, not with the new compiler "optimizations" that compiler developers keep implementing despite truth-seers' attempts to to tell them what's true.

rene
Level 16
Level 16
Posts: 6266
Joined: Sun Mar 27, 2016 6:58 pm

Re: [Emotional] So I got curious if a simple archive can screw me over...

Post by rene »

You may also wish to note though that anyone who'd refer to him- or herself as a truth-seer would generally tend to be anything but.

Post Reply

Return to “Chat about Linux”