At 05:56 07/12/2000 +0000, rvj wrote:
> >As for detecting subsequent
> > tampering on your own machine, there's no way (that I know of) for a
> > remote attacker to modify code on your machine
>
>
>I was thinking of in-house tampering - possibly modifying scripts etc - I
>think there is real likely hood of this.
If someone could do that, then likely they could build their own Mozilla
anyway. Or alternatively, edit the installed-chrome.txt file and change it
from jars to straight source. If you want this kind of control then you
need to change the permissions of the chrome directory after installation
so that it can't be modified. You could also have a centralised chrome
directory with installed-chrome.txt pointing to it, and of course that file
would have to have higher permissions than the general user.
Simon
>If say a package is installed as a JAR then I would have thought that that
>the installer program could at least keep its byte count in say the
>component registry
>
>When the Mozilla starts the package Mozilla could at least check the byte
>count of the file against value in the component registry.
>
>Alternatively installation details could be saved and possibly password
>protected .e.g. a package (or spoof) cannot be reinstalled without knowing
>the installation password.
>
>While not fool proof, it seems just too easy at the moment.
