LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Book review: Open Advice

Linux support for ARM big.LITTLE

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

LWN.net Weekly Edition for February 2, 2012

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

How to write a Linux virus in 5 easy steps

How to write a Linux virus in 5 easy steps

Posted Feb 11, 2009 18:43 UTC (Wed) by drag (subscriber, #31333)
In reply to: How to write a Linux virus in 5 easy steps by drag
Parent article: How to write a Linux virus in 5 easy steps

Probably the solution here is to use SeLinux/Smack or perhaps a simpler LSM to provide two security contexts for the Linux desktop. Or maybe just something built into nautilus or whatever.

So that files that are downloaded to the desktop are automatically given a 'untrusted' or 'internet' security context and it would require a extra step to make them trusted. This is how Vista and Windows XP SP2+ works.

Or use a LSM to make it normally impossible for people to save files from processes that connect to the internet in any directory but the designated "$HOME/Downloads" directory. And then nautilus and whatever will treat those files in a different manner.

That way if Firefox or Adobe Flash gets hacked then a attacker can't modify or otherwise screw around with any other files on the user's desktop.

Sort of like how files stored in the ~/.Trash directory are treated differently then files that are stored in other directories.

(Log in to post comments)

How to write a Linux virus in 5 easy steps

Posted Feb 11, 2009 19:42 UTC (Wed) by michaeljt (subscriber, #39183) [Link]

One could also the permissions of user applications to do anything dangerous (including accessing the net or file I/O) in a PolicyKit-like way. Then one application could be kept from accessing another applications files (or generally, files with a mime type that it is not supposed to handle), and it could be kept from overwriting any files except the one it had opened. If the applications were hardened à la Chrome so that one process handled one document, they could even be prevented from reading documents other than the one they were currently editing. Basic tools like ls or whatever could still work as expected, but the limited applications would not be allowed to run them.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds