LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LWN.net Weekly Edition for November 20, 2008

MinGW and why Linux users should care

LWN.net Weekly Edition for November 13, 2008

NLUUG/ELCE: Embedded devices and free software

The sad story of the em28xx driver

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

A different kind of bad week

A different kind of bad week

Posted Sep 26, 2003 11:02 UTC (Fri) by cross (subscriber, #13601)
In reply to: A different kind of bad week by Wout
Parent article: A different kind of bad week

> On a desktop system, there is usually one user.

Depends. Many households have one PC which is used by more than one user. It's sensible for each of them to have their own accounts, settings, preferences etc.

> The most valuable files on such a system are probably owned by that
> user. This means that a virus that damages those files has achieved
> just about the worst that could happen - from the user's point of view.
>
> What we need is some kind of seperation between user programs that
> receive untrusted (possibly malicious) input (eg. mail clients) and the
> user's files. I don't know how that could be implemented without annoying
> users though.

It's fairly simple. Create a new account solely for the email program. Put yourself and that account in the same group (creating it for the purpose). For the sake of argument, "mymail". Make sure that the "mymail" account is group readable and writeable, make sure that your account isn't. Now even a malicious executable that your email client actually executed wouldn't be able to cause any damage under your home directory let alone systemwide. It does mean that if you want to send a document or other attachment you first need to copy it to the mymail's home directory. But that's why we made it group writeable.

(Log in to post comments)

A different kind of bad week

Posted Sep 26, 2003 12:51 UTC (Fri) by Wout (subscriber, #8750) [Link]

>> On a desktop system, there is usually one user.
>
>Depends. Many households have one PC which is used by more than one user.
> It's sensible for each of them to have their own accounts, settings, preferences etc.

Yes, but my point is that user files are the most important thing on a desktop system. Yet important as they are, they are also the most vulnerable to viruses and such.

>> What we need is some kind of seperation between user programs that
>> receive untrusted (possibly malicious) input (eg. mail clients) and the
>> user's files. I don't know how that could be implemented without
>> annoying users though.
>
>It's fairly simple. Create a new account solely for the email program. Put yourself and that account in the same
>group (creating it for the purpose). For the sake of argument, "mymail". Make sure that the "mymail" account
>is group readable and writeable, make sure that your account isn't. Now even a malicious executable that your
>email client actually executed wouldn't be able to cause any damage under your home directory let alone
>systemwide. It does mean that if you want to send a document or other attachment you first need to copy it to
>the mymail's home directory. But that's why we made it group writeable.

This is the kind of solution that techies can use, but that are impractical for most other people because they don't understand file ownership, accounts and groups. What you need is protection that is invisible until the user requires it, which is exactly what a snapshot based system can provide. It even provides protection against the quite common case of people accidentily deleting or overwriting their files.

A different kind of bad week

Posted Sep 26, 2003 14:46 UTC (Fri) by cross (subscriber, #13601) [Link]

> Yes, but my point is that user files are the most important thing on a
> desktop system. Yet important as they are, they are also the most
> vulnerable to viruses and such.

We agree completely on this point.

> This is the kind of solution that techies can use, but that are
> impractical for most other people because they don't understand
> file ownership, accounts and groups.

If you can't explain it simply, you don't understand it well enough (Albert Einstein). The analogy I use is rooms in a house. Even very young kids understand "this is Jamie's room, you don't go in there unless he says it's OK". It's trivial then to grasp "this is Jamie's directory, you can't go in there".

> What you need is protection that is invisible until the user requires it

Which basically means that the installer should take care of it. When you choose "create new user" in your GUI tool and check the "setup mail" box it should create the "jamie" account, the "jamiemail" account and the "jamiemail" group, make a link in Jamie's home directory to "/home/jamiemail" so that Jamie can see it and knows that's where he puts things he wants to email to someone else, or save things some else sent him. You do need to explain that he doesn't leave things there if he wants to be sure they'll still be there tomorrow, but using the previous analogy, that's the difference between putting things away in his room and leaving them out in the back garden. Chances are nobody will come into the garden that night and take them, but they might. It's a concept easily grasped.

Is this non-obvious? Do you think it's non-obvious enough that I could get a patent on it? ;-)

> which is exactly what a snapshot based system can provide. It even
> provides protection against the quite common case of people accidentily
> deleting or overwriting their files.

It's a very good idea, and something that should also be done. But it's a solution to a different problem.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds