|
|
Subscribe / Log in / New account

Desktop malware risk gets raised and patched

February 25, 2009

This article was contributed by Bruce Byfield

One of the most common claims about GNU/Linux is that it is supposed to be relatively immune to viruses and malware. However, for the past few weeks, that claim has been more closely scrutinized, thanks to a blog posting by "foobar" entitled "How to write a Linux virus in 5 easy steps." Specifically, the posting gives a high-level explanation of how malware can take advantage of the behavior of application launchers on the GNOME and KDE desktops to infect a user account — and possibly gain root access as well. The result has been endless Internet discussions and coordinated efforts by both GNOME and KDE to minimize the problem.

The method described by foobar depends on social engineering: That is, manipulating users into saving an attachment to their GNOME or KDE desktop, and then into executing it. Ordinarily, foobar points out, a saved email attachment would not have executable permission. However, GNOME and KDE share a common format for desktop launchers (*.desktop), and allows them to run without an executable flag. This exception makes it easy to run a script (foobar suggests Python as a likely language) that will download a piece of malware, especially since a custom icon and name can disguise the nature of the program that the launcher runs. Furthermore, by adding a link in the desktop environment's autostart directory, the malware can then run each time that a user logs into the account.

From the perspective of security architecture, gaining root access is considered the goal of malware. However, foobar emphasizes that the method described can do damage without logging into the root account. Still, foobar suggests that the use of sudo and temporary root logins for graphical administration tools provide a backdoor for gaining root access. According to foobar, all that a piece of malware would need to do is make a local copy of an administration tool, then run the malware referencing the local copy. A user would then enter the root password for the tool, and not notice that the malware command was also receiving root access. Alternatively, the malware could add a similar command to the path definition of the current account. Either way, foobar writes, "there's a good chance that you will get [root access] eventually if you are patient."

These suggestions are not new. LWN pointed out the basic problem nearly three years ago, and the potential vulnerabilities of sudo were pointed out two years ago in an Ubuntu forum. All the same, foobar's post has been widely discussed since it first appeared. Besides the comments below the post, it has been discussed in such places as Linux Today, LWN, Slashdot, the KDE Community Forums, and the Ubuntu Forums.

Much of this discussion is repetitive, and beside the point. For example, some users quibble that foobar is technically referring to a trojan, not a virus at all. Others, like "Felice" below the original post, dismiss foobar's analysis on the grounds that, "There will never be any protection against the user's stupidity." Others, like "friends of the one law" (also beneath the original post) insists that such exploits are less likely on GNU/Linux than on Windows because "The installation and/or maintenance of a basic linux desktop requires a level of knowledge _and_ intellect somewhat more developed than that required for a basic Micro$oft product." All these comments, however, are side issues that do not alter the basic problem in any way, even though they each contain some degree of truth.

Other comments were more to the point. Expanding on a comment by foobar, "Colin" posted beneath the original post with a link to the code snippet that prevents Thunar, the Xfce file manager, from having the same desktop vulnerability. Still others tried to correct foobar's suggested code or variations on the basic method outlined.

Some of the most focused responses appeared as comments to LWN's initial coverage of the story. "drag" suggested using a tool like SELinux to create a security context for downloads to the desktop that flags them as untrusted until they are specifically marked as trusted. The same commenter suggested that downloads should be savable only to a designated directory off the desktop — although, as foobar pointed out in the followup blog post, whether this idea would work is uncertain.

In the last few days, both GNOME and KDE have been taking concrete steps to alleviate the problem, with discussions taking place on the XDG (Free Desktop) list. In a blog post, Michael Pyne proposes a policy that will allow files with a .desktop extension to run if they are owned by root (and therefore part of a standard installation), or installed from "a known location for services, applications, and XDG-compliant applications" (that is, ones that meet the shared Free Desktop standards). A whitelist will track all .desktop files that are permitted to run.

Pyne tells LWN that a major challenge of implementation is getting the white list correct. His first whitelist excluded autostart entries, and discussion raised a number of other cases, such as whether existing .desktop files needed to be updated, and how to handle launchers created from a menu or panel.

My first response was to simply broaden the whitelist to include the KDE install prefixes until I could get all the exceptions figured out. Luckily, David Faure immediately knew what was going on and so he's done a good job at re-restricting the whitelist, with some other kdelibs changes needed to make it happen. Last I heard there was still one user having issues (something to do with symlinks) but so far I've heard no other major complaints.

Another issue raised on the XDG list is whether a header should be added to untrusted .desktop files to prevent them from being run from the command line. While some developers questioned the need, Pyne seems to have decided that the precaution is necessary.

Still another concern is to write a clear dialog window that opens when a user tries to launch a .desktop file that is not whitelisted and is therefore not executable. The language is still being improved, but will probably explain the potential danger and when you should and should not continue to run the program, as well as giving the complete path to the command.

GNOME developer Alexander Larsson, although writing that the issue is "all pretty overblown," is working along similar lines. When the changes are implemented, GNOME will add an executable permission to all existing .desktop files when upgrading — a move that KDE, for now, will not follow. "We thought about it but opted to start with the dialog," Pyne tells LWN. "Some kind of dialog will be required no matter what, and any auto-upgrade we do in KDE would have to be done with the user's permission. We may still do it, but it not set yet."

Another difference in GNOME is that any .desktop files that are executable but not in a system directory will be flagged as "untrusted." To emphasize their status, such files will show a shortcut icon and the real file name, rather than any custom icon and display name for the desktop. Pyne has expressed some interest in this idea to LWN, and briefly speculated about how files might be listed as trusted, but, for now KDE is not following this suggestion.

However, much as in KDE, clicking an untrusted file in GNOME will open a dialog that warns the user about the file's status, and gives the choice of running it anyway, marking it as trusted, or canceling its execution.

In both GNOME and KDE, these changes should appear very shortly. Larsson asked for a string break approval for next month's release of GNOME 2.26 so that his changes, particularly the new dialog, can be included. The request was granted, and Larsson tells LWN, "all the required Gnome changes have now landed in glib and nautilus."

Similarly, Pyne hopes to see his changes backported to KDE 4.2 in a point release, as well as appearing in KDE 4.3. Whether the backports occur, he explains to LWN, depends "on if it's deemed a big enough security risk."

The speed with which these changes are being implemented suggests that both KDE and GNOME are treating the security problem as moderately serious. However, Pyne is careful to warn about the limits of the fixes, telling LWN:

This kind of security is only intended to defend against the type of vulnerability where an email attachment or web link is directly executed (by way of downloading an image and clicking on it, for instance). This doesn't defend against archives with executable .desktop files, just like archives with executable Python scripts have no protection. This also doesn't defend against the user following guided instructions on saving a trojan in a whitelisted directory, just like we can't save users who will type in "sudo rm -rf/" in a terminal because an email told them to. This just brings .desktop files up to normal POSIX levels of executable security, nothing more or less.

In other words, the fixes should minimize the chances of a malware infection of the type describes by foobar, but, as many commenters have pointed out, nothing can completely counter user ignorance, rashness, or plain stupidity. The most that desktop developers can do, short of restricting desktop files to a degree that most users would find unacceptable, is to make users aware of the consequences of their possible actions.


Index entries for this article
SecurityDesktop
GuestArticlesByfield, Bruce

to post comments

Desktop malware risk gets raised and patched

Posted Feb 26, 2009 3:54 UTC (Thu) by bluefoxicy (guest, #25366) [Link] (3 responses)

> The installation and/or maintenance of a basic linux desktop requires a
> level of knowledge _and_ intellect somewhat more developed than that
> required for a basic Micro$oft product.

This is a bug. Linux is for geeks, and not suitable for the common user. Once Linux is suitable for the common user, the above statement becomes false.

Desktop malware risk gets raised and patched

Posted Feb 26, 2009 10:39 UTC (Thu) by addw (guest, #1771) [Link] (1 responses)

Not true. I have some customers who use a Linux desktop that are definitely not geeks.

Desktop malware risk gets raised and patched

Posted Mar 5, 2009 10:44 UTC (Thu) by forthy (guest, #1525) [Link]

Same here, I consider this bug as fixed and we should close it.

Desktop malware risk gets raised and patched

Posted Feb 26, 2009 11:56 UTC (Thu) by Cato (guest, #7643) [Link]

It also doesn't address (1) a geek sets up the Linux desktop for someone else, as I have done, or (2) it's a corporate Linux desktop, or (3) Netbooks or PCs with Linux pre-installed.

Nice writeup

Posted Feb 26, 2009 4:11 UTC (Thu) by pynm0001 (guest, #18379) [Link] (7 responses)

Good writeup, although I'd appreciate if you could s/Pyne/Michael Pyne/ on
the first mention of my name just to give people some context. ;)

I'm still working on tweaking the dialog to remove as much text as
feasible (this is what it looks like on my system right now):

http://purinchu.net/dumping-ground/krun8.png
http://purinchu.net/dumping-ground/krun9.png

which show the dialog with a sane Exec= and a crazy Exec= line,
respectively.

In addition I'll be working on implementing some of the precautions
Alexander already has (namely no custom icons, no sniffing, and showing
.desktop for untrusted .desktop files). KDE 4.2.1 is about to be tagged
so these changes could be backported to 4.2.2 at the earliest, but only
after we have tested everything thoroughly in /trunk, which was broken for
a few people when the initial security was first implemented. David Faure
has been fixing up bugs and oversights here and there since with the
klauncher and KRun changes but everything seems stable at this point.

Nice writeup

Posted Feb 26, 2009 4:19 UTC (Thu) by jake (editor, #205) [Link]

> Good writeup, although I'd appreciate if you could s/Pyne/Michael Pyne/ on
> the first mention of my name just to give people some context. ;)

Oops, my apologies, fixed now, thanks!

jake

Nice writeup

Posted Feb 26, 2009 5:34 UTC (Thu) by pabs (subscriber, #43278) [Link] (1 responses)

Uhh, shouldn't the default in those dialogs probably be "Cancel"?

Nice writeup

Posted Feb 26, 2009 22:49 UTC (Thu) by pynm0001 (guest, #18379) [Link]

The default in the code is KDialog::Cancel, and was working last I
checked. :)

Nice writeup

Posted Feb 26, 2009 8:10 UTC (Thu) by tzafrir (subscriber, #11501) [Link] (2 responses)

Suppose I write as a program:

wget http://somewhere/ | sh # (Web Browser)

The dialog will show the command to run, and that command includes the descriptive (not) comment "Web Browser".

Do you suppose enough people would fall for it?

Nice writeup

Posted Feb 26, 2009 22:54 UTC (Thu) by pynm0001 (guest, #18379) [Link] (1 responses)

Do I suppose that people piping code straight from the Internet
into a shell will fall for misleading text in a dialog box? Yes, I
suppose people insane enough to pipe arbitrary code into a running shell
*would* fall for it.

Nice writeup

Posted Feb 27, 2009 5:09 UTC (Fri) by jimparis (guest, #38647) [Link]

I think you misunderstood his point, which I read as: What if the "Exec=" command in the .desktop file is misleading? Such that the user reads your dialog box, decides the command looks benign, and then clicks Continue --> but really it was just a cleverly hidden attack.

I don't think you can expect to work around this any more than you can teach users to not trust "https://www.paypal.com.nigerian-scammers-love-you.com". However, it's an argument FOR keeping some text like "If you don't know where this came from or what's going on, click Cancel" in the dialog box.

As an example, your recent dialog (krun8.png) might end up reading:

"This will start the program:
xterm -e 'dd if=/dev/null of=/dev/sda'
If you do not trust this program, press cancel"

and users could think "Oh, well, I don't fully understand what that means, but I do trust xterm, so I'll click OK"

What about KDE 3, which is "still supported"

Posted Mar 6, 2009 15:44 UTC (Fri) by Duncan (guest, #6647) [Link]

What about those of us who still find KDE 4.2 not mature enough for our
needs, who are thus still using KDE 3.5? This is a security issue and KDE
3.5 is after all still supposed to be be supported, yet the only mentions
are for 4.2 and 4.3. Where's the discussion of the fix for 3.5?

Duncan

Sign .desktop files

Posted Feb 26, 2009 10:46 UTC (Thu) by addw (guest, #1771) [Link]

Part of the problem is how to allow local .desktop files to be installed, something that some places/people will want to do. How about having a signature block in these files that can be checked before the .desktop is run. ''Standard'' installed stuff can be checked against standard public keys, a site could install its own public key somewhere.

Maybe not the entire answer, but good security is multi layered: belts and braces.

Now to fix archivers

Posted Feb 26, 2009 11:09 UTC (Thu) by epa (subscriber, #39769) [Link] (10 responses)

As the summary points out, you are still vulnerable if you receive a .zip or .tar.gz file by email and your friendly GUI archiver program unpacks it and makes files executable. For command line tar(1) and zip(1) it's fine to extract with the same executable permissions as in the archive*, since command line users can be expected to understand the risks of running executables, and the command line interface doesn't muddy the distinction between opening a file and running it. ('less some_file' versus './some_file')

But for graphical unarchiving programs - or browsing directly to the contents of a zip file inside the file manager - I would prefer that the default be for all plain files to be non-executable, even if the archive specifies that the +x bits be set. If the user wants to extract a zipfile and have executables (or .desktop files) be ready to run by double-clicking, this should require an explicit step, where the app can give a brief warning.

I must say, though, that GNOME's solution of marking .desktop files not in a system directory as 'untrusted' would take care of a good part of this problem. It will no longer be possible to unpack an archive and get a file that appears to be a JPEG image with thumbnail, but is in fact executing an arbitrary command.

Now to fix archivers

Posted Feb 26, 2009 15:14 UTC (Thu) by epa (subscriber, #39769) [Link]

(*) except that suid and sgid bits should not be restored by default.

Now to fix archivers

Posted Feb 27, 2009 10:34 UTC (Fri) by liljencrantz (guest, #28458) [Link] (8 responses)

In my opinion, it would be much more sane to strip executable bits from all archives marked as untrusted, regardless of what program is used to do the unpacking. Perhaps a dialog should be shown in the gui, something like «SECURITY ALERT: The archive you are extracting contains executable files, but because it was downloaded from the IntarBLAG, it has been marked as untrusted. Do you want to permit the running of these executables?».

Now to fix archivers

Posted Feb 27, 2009 11:12 UTC (Fri) by hppnq (guest, #14462) [Link] (7 responses)

That is like suggesting all candy to be stripped of sugar, instead of telling your kids not to accept any candy from strangers.

Now to fix archivers

Posted Feb 27, 2009 12:07 UTC (Fri) by liljencrantz (guest, #28458) [Link] (6 responses)

Huh? How do you figure? The OP suggested that when using a GUI, all executable bits should be stripped, which I guess is kind of like removing sugar from all candy, at least if you're a fan of far fetched analogies. But I specifically suggested that this action only be applied to archives that are marked as untrustworthy by the system, e.g. mail attachments. The exact same files that are as of today already stripped of their executable bits in the case of regular executable programs, and soon also for .desktop files, would also be stripped of executable bits even in the case of archives.

Since you're a fan of analogies, that would be like automatically stripping the sugar of all candy that was given to you by strangers. Hardly an ideal way of raising you child if that is the _only_ action you take, but it could be one small part of a balanced strategy aiming to raise your children.

Now to fix archivers

Posted Feb 27, 2009 14:09 UTC (Fri) by hppnq (guest, #14462) [Link] (5 responses)

I'm sorry if it was not obvious what I meant to say.

How and when will your system distinguish untrusted archives from non-trusted archives, and, given the fact that a perfectly good reason for putting files in an archive is to preserve permissions, how and when would you or your system restore the original bits?

Oh, and what problem would you have solved? How many times would you be prepared to solve it?

Now to fix archivers

Posted Feb 27, 2009 15:06 UTC (Fri) by liljencrantz (guest, #28458) [Link] (4 responses)

There are two suggestions for tagging any file as untrusted in the original article: SELinux tagging and having an 'untrusted downloads file area'.

As to when one would restore the original bits, I suggested a dialog for doing exactly that in my original post.

Now to fix archivers

Posted Feb 27, 2009 16:00 UTC (Fri) by hppnq (guest, #14462) [Link] (3 responses)

There are two suggestions for tagging any file as untrusted in the original article: SELinux tagging and having an 'untrusted downloads file area'.

These two "tagging" methods indicate that you already know which files are trusted and which files are not trusted. So the question remains.

As to when one would restore the original bits, I suggested a dialog for doing exactly that in my original post.

And I asked the reasonable questions: what problem do you think you have solved, and how many times will you solve it?

There is nothing very insecure about a user downloading or even unpacking an archive -- except of course if you suddenly start to treat certain file attributes, like execute bits or mime types, in a new and special way.

Now to fix archivers

Posted Feb 27, 2009 16:42 UTC (Fri) by liljencrantz (guest, #28458) [Link] (2 responses)

How many times will this problem be solved? How many times can any problem be solved? At most one, of course. If a problem is solved, it is by definition solved and in no need of being solved. But in this case, it is a superbly silly question that makes me wonder if you understand the reason why we have computer security mechanisms at all. Your question seems to assume that the problem of computer security is a problem with one single solution that will resolve every issue for the rest of eternity. Not going to happen.

The problem that is partially solved is the problem of computer security. Specifically, it slightly improves the security in the situation of an Internet connected desktop computer with a non-experienced user, where it is currently far too easy to use social engineering to infest a great number of machines with trojans because of security policys that currently make it far to easy to run arbitrary executables downloaded from the Internet.

What has been proposed is another partial solution, and I'm sure more partial solutions will be created in the future. It's an endless balance between security and convenience.

Now to fix archivers

Posted Feb 27, 2009 18:23 UTC (Fri) by hppnq (guest, #14462) [Link] (1 responses)

I am afraid you do not really understand what I mean. I was asking how many times you expect users to go through what could be easily perceived as a pointless dialog, and what exactly is accomplished by going through this dialog.

Those who believe that we can use the execute bit to indicate a certain level of trust are indeed forced to also take into account previously completely unrelated things, like permissions of archived files. Remember the security problem addressed here is about a kind of file that used to only be meaningful in a desktop environment. By requiring that desktop launchers be actual executables we have not really solved the actual problem at all, but I am all of a sudden stuck with a whole bunch of executables and a security policy that says "You trust all your executables".

There is no dialog on earth that could repair this.

So how would your dialog handle malicious RPM scripts?

Now to fix archivers

Posted Feb 27, 2009 23:43 UTC (Fri) by liljencrantz (guest, #28458) [Link]

Ok. Rereading your comment, it still seems to me that my interpretation is by far the more natural one. But let's move on.

The simple answer to the question of how many times the question should be asked is simple: As long a no executable file is created, zero. If an executable file is created, the user should be prompted for confirmation once. The exception to this is with .desktop files, for which the prompt is shown when the file is first executed, and not when saved. Preferably, when a user is asked for confirmation and and gives it, the untrusted flag should be stripped; if the file is indeed evil, the damage is already done.

As for evil RPM:s, they are already handled by the package managers of today - packages that are not signed by a known key will not install without an extra override switch.

Desktop malware risk gets raised and patched

Posted Feb 26, 2009 16:26 UTC (Thu) by drag (guest, #31333) [Link] (5 responses)

Thanks for the nod, lwn.

I'd just like to point out for the record that I think this .desktop file hoopla is just a symptom of a larger major security issue with the Linux desktop;

The issue is caused by the fact that so far security on Linux (and unix in general) has focused mostly on server and multiuser systems. That is the focus (besides code quality in application and external hardening) has been one of isolating and restricting accounts to prevent potentially vulnerable services or user accounts from compromising the security of the entire system. However on a typical user desktop there is only one user. For example, on my laptop I have all my important stuff in my /home directory. If a attacker attacked my laptop and successfully gained access to my user account then there is no need for them ever to get root account... they already have all my information, all my passwords stored in the browser, the ability to monitor myself and applications, etc etc.

So a typical laptop or desktop what is stored in /home/username is as much, or more critical then what is stored in /etc/shadow.

On a modern desktop it's becoming more and more internet oriented. Nowadays you have all sorts of programs regularly going on and connecting to online services, streaming media, downloading files, examining images and other data from untrusted sources, etc etc. All in all it's very complex system and a always-on desktop system can be dealing with upwards to several gigabytes worth of information every month streaming from all corners of the globe.

And then with the rise of mobile internet devices and similar efforts, like Intel's Moblin or other similar systems, it's going to get more and more intense and more and more automated.

So the likelihood of having a exploitable weakness in one of the dozens of applications that regularly connect with the internet is pretty high. Currently browsers get most of the scrutiny, but every application that gets data from untrusted sources is in the same boat. For example; I have to look up and find specifications for hardware regularly on the internet... so I am downloading and viewing PDFs from links from google without having any real idea who made them or were they come from. So a vulnerability in Evince would sink me.

So I figure there needs to be some sort of isolation so that programs that go and connect to the internet or are likely to read data from untrusted sources need to be sandboxed away from the critical areas in my desktop environment... both in terms of files and in terms of what other programs they are allowed to access. I figure something like a 'desktop profile' for Selinux (or simplier framework) would be key.

But I understand that the problems and incompatibilities that this would cause here are vast... So there may be a much more clever way to do this.

I don't know of the proper solution, but I know it's a problem and if we don't start dealing with it now it's going be a much bigger problem in 10 years time or so.

Keep in mind that Microsoft starting introducing a scheme like that with Windows XP SP2 were they are using NTFS's alternative data streams feature to store a security context about files that users deal with. So you have files with 'internet zone' vs 'trusted zone' and things like that. And this scheme has been improved and extended somewhat with later updates and Vista (and in the up and coming Windows 7). Of course the security measures that Windows is able to leverage is much weaker then what is potentially available with Linux, but they have the advantage of having something that works were we have nothing.

Desktop malware risk gets raised and patched

Posted Feb 26, 2009 18:36 UTC (Thu) by tshow (subscriber, #6411) [Link] (1 responses)

The problem is that once you've downloaded the file, it automatically gets assigned the same trust level as all of your other files.

Why not take advantage of the multiuser nature of the underlying system? Make any program that can download things (email clients, web browsers, instant messenger programs, IRC clients...) run as a separate user, and save files under that username.

It could be something as simple as your user name with :untrusted appended to it.

It wouldn't be too hard to train Gnome and KDE to know that files from user "username" are normal, but files owned by "username:untrused" have come from the great wilds beyond the fence and require the user to bless them explicitly before they can be executed. The underlying system doesn't need training at all if the umask is set properly.

It uses the existing infrastructure, and it requires relatively few changes to work. Most of the effort is in the setup; adding a user would require setting up two accounts, one of which (the untrusted account) would be a locked no-login account with no home directory.

From the command line, the user could "bless" files with chown(1), and I suspect the "stupid people get what they deserve" rule applies to someone who opens a terminal and directly invokes a downloaded script without vetting it. For actual executables, you'd be foiled by the lack of group/other execute permission in the umask if you tried to run it.

On the GUI side, all that really needs to be done is the launchers need to check to see if the uid of the file is suspicious (which they ought to be doing anyways...), and if so, bring up an appropriate dialog, that could be one of:

- the file is owned by some other (non-root) user on the system and is effectively executable, do you want to [make & run owned copy] [run] [cancel]

- the file is owned by your untrusted alter-ego, and is not executable, do you want to [take ownership & open] [open], [cancel]

- the file is owned by your untrusted alter-ego, is executable or contains a script, dialog has a big picture of your parents looking stern, [pick up the soap][flee]

It might even be worth saying you simply can't bless executable files owned by your untrusted alter-ego without dropping to the command line and using chown.

The other part of this is that making magic executables with .desktop was a mistake. It wouldn't have been hard to use "shabang" to make .desktop files legitimately executable through the standard system, at which point they'd even (!) work properly from the command line, and they'd inherit the security mechanisms built around file access. Every alternate path to execution in the system is another possible point of failure for security.

Desktop malware risk gets raised and patched

Posted Feb 26, 2009 19:10 UTC (Thu) by drag (guest, #31333) [Link]

Well the nice thing about taking advantage of Selinux (or Smack, or Apparmor, or some desktop-specific LSM layer) is that you can apply the security contexts to applications without having to do extensive rewriting of them or whatnot.

So typically a application is launched when you double click on a file. As long as that application gets launched as a separate process then it's (relatively) easy to isolate that process and restrict it's movements. As long as the program behaves itself this should be all completely transparent to the end user and would not require any rewrite of the application, barring any bugs. That is you get the security 'for free' without bugging the user with dialogs or having applications run in a odd manner. This should work with very little impact to the end user and should apply (relatively) easily to most programs.

Now the problems you run into are programs that try to 'optimize' things by launching new instances in threads. Programs like your web browser.

The other way this breaks down is if you have a running program and you go to open up a file through the application file dialog. You can get around this by making the file dialog aware of what is going on and adding a notification to bug the user or something like that. That shouldn't be terrifically difficult for the KDE and Gnome applications, but it would be troublesome for applications that use their own file dialogs (OO.org, for example).

----------------------------

The other way to go about it would be trying to take advantage of some of the work going into trying to standardize the anti-virus stuff.

That is efforts to get on-demand scanning into the kernel were the kernel can intercept files being accessed and defer to a userland program, which then can allow or disallow the access.

Then you can intercept the programming accessing a risky file and then pop up a dialog warning the user.

Or you could program that into nautilus, konquerer, and the file dialogs to check that stuff..

But I don't like that because that's annoying and will be just another dialog for a user to ignore. They downloaded the file and while it may be risky they still want to find out what is in it... so by opening it in a application is the only way they could know what it really is. So your forcing the end user to make security decisions without allowing them the information they need to make the correct decision. If they make a bad decision and it's a malicious file then it still gets read into a program with full user privileges. So it's a bit of a mess.

Desktop malware risk gets raised and patched

Posted Feb 26, 2009 19:28 UTC (Thu) by raven667 (subscriber, #5198) [Link] (2 responses)

What you are looking for is largely implemented using SELinux policies and extended attributes to
files that include security tag information. SELinux policies are being pushed into X and used to
manage Firefox as well as most of the other network connected software on your system. This has
largely already been accomplished, if you are running a reasonably recent copy of Fedora (from the
last several years) all this stuff exists and is enabled by default. As long as the applications behave
and the policies are right the underlying protection is pretty unobtrusive.

While we stand around and talk about how browser and desktop security should work in the future,
others are actually taking care of the problem and before anyone realizes it has happened it will all
be done.

Desktop malware risk gets raised and patched

Posted Feb 26, 2009 23:52 UTC (Thu) by drag (guest, #31333) [Link] (1 responses)

> While we stand around and talk about how browser and desktop security should work in the future, others are actually taking care of the problem and before anyone realizes it has happened it will all be done.

That's good people are putting work into it.

It's definitely something that needs to be touted then if the work is getting done. It can be a very important selling point for some people... especially corporations that hand laptops out to salespeople and whatnot. Since they are not in their corporate sandbox then there is very little IT people can do to control the environment in which these things run.

Being able to not only lock down the desktop to secure it without restricting user's ability to use and get the full benefit of the OS environment is a huge thing and is something you can't get from Windows.

This sort of thing would be a real, obvious, and tangible benefit to switching to Linux.

Desktop malware risk gets raised and patched

Posted Feb 28, 2009 21:33 UTC (Sat) by rahulsundaram (subscriber, #21946) [Link]

Fedora has been doing a lot of desktop SELinux work including xguest and lock down of common desktop programs including dbus and browser plugins. A few references:

http://james-morris.livejournal.com/39013.html
http://danwalsh.livejournal.com/13376.html

Desktop malware risk gets raised and patched

Posted Feb 28, 2009 22:03 UTC (Sat) by hingo (guest, #14792) [Link]

"GNOME will add an executable permission to all existing .desktop files when upgrading — a move that KDE, for now, will not follow. "We thought about it but opted to start with the dialog," Pyne tells LWN. "Some kind of dialog will be required no matter what, and any auto-upgrade we do in KDE would have to be done with the user's permission. We may still do it, but it not set yet."

WTF? The dialog is not the point. You can keep the dialog. It is the whitelist that is a hack. You don't need to author and maintain a whitelist, this is the purpose why unix has the executable permission, please use it.

"KDE user"

Rant about "mark it trusted" dialog

Posted Mar 5, 2009 11:02 UTC (Thu) by forthy (guest, #1525) [Link]

I don't think this dialog will help. The e-mail will contain a text, describing "Just drag the file onto your desktop. When you open it first on a Linux machine, you might get a strange and cryptic warning message - I don't know why, must be a bug, but just clicking on "trust the file" worked for me." And users are already trained to click away all those warning messages without giving them the tiniest bit of thought.

What's worse is that repositories like SuSE's community repositories give a false sense of being trustworthy by having public key signatures - but no trust chain whatsoever! The only thing the user can do on these occasional key changes is to import the new key - he has no idea why the key has changed, if this is a man-in-the-middle attack or whatever. The people who operate these repositories should go to a key signing party on the next Linux related event, and get signatures of a few hundred Linux enthusiasts on their personal key, which they then use to sign the repository key (plus a signature of the distributor's master key) - this will allow to set a level of trust for the key. Note that SuSE's one-click-install is another extremely easy way to get software installed. But at least the user knows that it is software, which is installed (though without trust chain, it's impossible to verify how trustworthy the source is).

Desktop malware risk gets raised and patched

Posted Jan 31, 2017 13:50 UTC (Tue) by cortana (subscriber, #24596) [Link]

Deja vu! https://www.reddit.com/r/linux/comments/5r6va0/how_to_eas...


Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds