To comment on the following update, log in, then open the issue: http://www.openoffice.org/issues/show_bug.cgi?id=18860
------- Additional comments from [EMAIL PROTECTED] Mon May 12 18:54:36 +0000 2008 ------- Good to see that the Java library mentioned does not allow for normal user to become root/ Administrator. >The trusted directory list is written as plain text in the ><oooDir>/user/share/registry/data/org/openoffice/office/common.xcu >This file is not protected I see no problem with that as long as it cannot be altered by scripts run by OpenOffice.org. @pjanik: Most people running Windows are still running users with administrative rights to run normal programs. This is of course far from secure. Still, we are not living in Utopia. It is a reality that developers need to take in account when designing security in any program that allows for scripted file-access. These people mentioned above make up the majority of your userbase. Any scripted change to the internal configuration files of OOo, especially the entries concerning application security should be classified as possible threat and dealt with accordingly. The suggested Administrator password method seems a bit unfriendly for normal users who tend to forget the Administrator password. A normal [OK, Cancel]-dialog clearly stating what file is about to be modified, (not accessible by any scripts) would suffice here. The decision of the user should be recorded locally, not in the file itself. The same security should also be applied for scripted linking of the current document to another file with write access to that file. You claim that it makes no sense to provide any security if the File System is already wide open. Most applications I run don't allow for *scripted* changes to files without User Interaction, except for the document that the user is currently working on. Read-access can pose some security threat, but Write access can prove fatal if left unchecked. As you may have noticed, my emphasis lies on *scripted* access, direct write access to the File System without any confirmation required from the user. --------------------------------------------------------------------- Please do not reply to this automatically generated notification from Issue Tracker. Please log onto the website and enter your comments. http://qa.openoffice.org/issue_handling/project_issues.html#notification --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
