On Wed, 1 Jan 2020 20:36:01 +0000 Jonathan Aquilina <jaquil...@eagleeyet.net> said:
> Evening All, > > I have a question is there anyone working on ethically hacking all aspects of > enlightenment. Reason I am asking is it might be a good idea to ensure > enlightenment does not pose any issues from a security aspect for end users. I am not sure if anyone is. You'd need to know what to look at to find the right things to go for, but pretty much if it's "some process running as the same UID as E managed to get E to do something it shouldn't" then that's an invalid thing to test as running in the same security domain (e.g. same UID with no extra containerizing like smack etc.) is already a free-for-all. Places that matter: Any of the setuid root tools e ships to make things work like shutdown/reboot on non-systemd systems or l2ping bt pinging or the backlight control tool for when xrandr/intel backlight controls are not there etc. ... If these tools can be abused to do something they were not intended to do - then that'd be a problem. Also efm is a possible thing - imagine browsing a thumbdrive that someone put malicious files on and somehow crafted it to exploit you. not talking about a user dumbly running a binary on that driver but more simply things like browsing around "innocently" and being taken for a ride. Incoming BT pairing requests from bluetoothd too are a possibility - it should not allow someone to craft some pairing thing that might cause E to misbehave. I don't think E will as bluez (bluetoothd) already will filter and make things quite simple and constrained, but who knows... :) The above kind of things are what probably matter. I don't know of anyone digging around with these. > Let me know your opinions on this as this is an area that really does > interest me for sure 😊 > > Hope everyone had a great Christmas and wanting to wish everyone a very happy > and prosperous new year! > > _______________________________________________ > enlightenment-devel mailing list > enlightenment-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/enlightenment-devel -- ------------- Codito, ergo sum - "I code, therefore I am" -------------- Carsten Haitzler - ras...@rasterman.com _______________________________________________ enlightenment-devel mailing list enlightenment-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
