On Fri, Jan 30, 2004 at 04:52:26PM -0500, gabriel wrote: > On January 30, 2004 04:15 pm, Peter Wu wrote: > > > > If I write a shell script and attach to an email sent to you, then you > > save the attached shell script and run it when you happen to have the > > roott privilege? > > > > IIRC, any binary files can be attached to an email. Correct me if I am > > wrong. > > you're not wrong, but your logic is. yes, you can attach any filetype to an > email, even a small bash script with the following contents: > > #!/bin/bash > rm -rf ~/ > > the question is whether or not a user can accidentally break their computer > with this. see, if i send you the above, it'll come to you as an > *non-executable* attachment. it doesn't matter if it's executable on my box, > when i send it to you, you'll have to save it locally and when you do, it's > got 0644 permissions (unless you're doing something funky with your umask). > you'd have to chmod u+x the file and run it to do any damage.
You're right in this sense. I cannot directly run the script.
> the exception of course is a tarball. you can extract stuff from a tarball
> and it'll retain it's permissions, but that still requires the enduser to be
> an idiot and unpack then manually run the script. that's no different from
> telling them to run the above commands manually.
That is the problem. Many Windows users are told in the email how to open
and run the executable virus. Sometimes, the viral emails disguise
themselves as if they were sent from Microsoft Support Team.
> in the end it's in the lap of the end user anyway. i'll say it now: if you're
> running your desktop as root, you're asking for it. why use a multi-user o/s
> that protects you from windows-esque problems if you're going to circumvent
> them anyway?
Well, as I said in another post, on Windows, you can choose to run under a
user without root privilege. Also, I know there are many new Linux users
that like to use root instead of a normal account to do something
dangerous. They do not like to su to root when perform some potential
dangerous jobs.
--
,,,
(o o) Peter Wu
---ooO-(_)-Ooo--- Powered by GNU/Linux 2.4.22
pgp00000.pgp
Description: PGP signature
