LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Nice writeup

Nice writeup

Posted Feb 26, 2009 22:54 UTC (Thu) by pynm0001 (guest, #18379)
In reply to: Nice writeup by tzafrir
Parent article: Desktop malware risk gets raised and patched

Do I suppose that people piping code straight from the Internet
into a shell will fall for misleading text in a dialog box? Yes, I
suppose people insane enough to pipe arbitrary code into a running shell
*would* fall for it.

(Log in to post comments)

Nice writeup

Posted Feb 27, 2009 5:09 UTC (Fri) by jimparis (subscriber, #38647) [Link]

I think you misunderstood his point, which I read as: What if the "Exec=" command in the .desktop file is misleading? Such that the user reads your dialog box, decides the command looks benign, and then clicks Continue --> but really it was just a cleverly hidden attack.

I don't think you can expect to work around this any more than you can teach users to not trust "https://www.paypal.com.nigerian-scammers-love-you.com". However, it's an argument FOR keeping some text like "If you don't know where this came from or what's going on, click Cancel" in the dialog box.

As an example, your recent dialog (krun8.png) might end up reading:

"This will start the program:
xterm -e 'dd if=/dev/null of=/dev/sda'
If you do not trust this program, press cancel"

and users could think "Oh, well, I don't fully understand what that means, but I do trust xterm, so I'll click OK"

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds