On Sat, Jan 31, 2004 at 07:55:05AM +0100, LJN wrote:
> On Sat, 2004-01-31 at 08:49, [EMAIL PROTECTED] wrote:
> > On Sat, Jan 31, 2004 at 12:51:42AM -0500, Andrey Kartashov wrote:
> > > 
> > > Hi, all!
> > > 
> > > I'm using blackbox wm and have noticed that the styles don't set the root
> > > window background because the feature is disabled by the 
> > > 
> > > epatch ${FILESDIR}/disable_rootcommand.patch
> > > 
> > > The warning message says:
> > > 
> > > ewarn "RootCommand is now DISABLED to close a large"
> > > ewarn "security hole."
> > > 
> > > I'm trying to think of an example that would exploit it and can't think of 
> > > any. Could someone, please, explain it to me?
> > 
> > I think that's an "exercise left for the reader." Make sure you let us
> > know how you did it.
> > 
> > Regards,
> > Brian
> I'm not sure if you still can,  but you used to be able to have your
> blackbox settings in your homedir too where you might have some funny
> permissions.

Sorry, I still don't get it. Assuming I do have funny permissions on my home dir, 
there are many other equally nasty ways to screw me up: modify my .bash* or
.xinitrc, anything in my ~/bin, read my .ssh/id_*, you get the idea.

IF I were to download random 'style' off the web and apply it, then it could be 
if someone put a malicious command in. But even this scenario is not substantially
different from downloading/executing any number of other programs/scripts.
I can't verify everything, so there are certain levels of trust.
I trust that the stuff I get when I 'emerge' package is not going to screw me up.
When on the other hand I come across some other 'useful' script on someone's web page, 
I read it first before I execute it.

I would be perfectly happy if there were a 'USE' flag that turns this 'RootCommand' on.
This way one would be forced to read about it before enabling it and thus learn what
the consequences are.

- Andrey

~ In theory, practice and theory are the same,
  but in practice they are different (Larry McVoy) ~

[EMAIL PROTECTED] mailing list

Reply via email to