Re: [E-devel] Hacking all aspects of enlightenment
On Wed, 1 Jan 2020 20:36:01 + Jonathan Aquilina said: > Evening All, > > I have a question is there anyone working on ethically hacking all aspects of > enlightenment. Reason I am asking is it might be a good idea to ensure > enlightenment does not pose any issues from a security aspect for end users. I am not sure if anyone is. You'd need to know what to look at to find the right things to go for, but pretty much if it's "some process running as the same UID as E managed to get E to do something it shouldn't" then that's an invalid thing to test as running in the same security domain (e.g. same UID with no extra containerizing like smack etc.) is already a free-for-all. Places that matter: Any of the setuid root tools e ships to make things work like shutdown/reboot on non-systemd systems or l2ping bt pinging or the backlight control tool for when xrandr/intel backlight controls are not there etc. ... If these tools can be abused to do something they were not intended to do - then that'd be a problem. Also efm is a possible thing - imagine browsing a thumbdrive that someone put malicious files on and somehow crafted it to exploit you. not talking about a user dumbly running a binary on that driver but more simply things like browsing around "innocently" and being taken for a ride. Incoming BT pairing requests from bluetoothd too are a possibility - it should not allow someone to craft some pairing thing that might cause E to misbehave. I don't think E will as bluez (bluetoothd) already will filter and make things quite simple and constrained, but who knows... :) The above kind of things are what probably matter. I don't know of anyone digging around with these. > Let me know your opinions on this as this is an area that really does > interest me for sure > > Hope everyone had a great Christmas and wanting to wish everyone a very happy > and prosperous new year! > > ___ > enlightenment-devel mailing list > enlightenment-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/enlightenment-devel -- - Codito, ergo sum - "I code, therefore I am" -- Carsten Haitzler - ras...@rasterman.com ___ enlightenment-devel mailing list enlightenment-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
Re: [E-devel] Hacking all aspects of enlightenment
Is it hard to get an environment setup with wayland? On 02/01/2020, 05:49, "Simon Lees" wrote: Hi, On 1/2/20 7:06 AM, Jonathan Aquilina wrote: > Evening All, > > I have a question is there anyone working on ethically hacking all aspects of enlightenment. Reason I am asking is it might be a good idea to ensure enlightenment does not pose any issues from a security aspect for end users. > > Let me know your opinions on this as this is an area that really does interest me for sure > > Hope everyone had a great Christmas and wanting to wish everyone a very happy and prosperous new year! Under X11 there is little point in doing much, it was never designed with security in mind so things like key logging and screen grabbing can be done just using the native X11 API. If you think about what apps like synergy and gimp's color picker can do using native API's with no privileges you'll get a good idea. As such many things that would generally be a security issue in other software don't get heaps of time because you can probably do it using the API without an exploit anyway. Having said that there are certainly areas worth looking at, especially the binaries using suid bits to see if you can do any privilege escalation. Wayland also sandboxes apps much better so its probably worth looking there because anything you find would be worth while. -- Simon Lees (Simotek)http://simotek.net Emergency Update Team keybase.io/simotek SUSE Linux Adelaide Australia, UTC+10:30 GPG Fingerprint: 5B87 DB9D 88DC F606 E489 CEC5 0922 C246 02F0 014B ___ enlightenment-devel mailing list enlightenment-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
Re: [E-devel] Hacking all aspects of enlightenment
Hi, On 1/2/20 7:06 AM, Jonathan Aquilina wrote: > Evening All, > > I have a question is there anyone working on ethically hacking all aspects of > enlightenment. Reason I am asking is it might be a good idea to ensure > enlightenment does not pose any issues from a security aspect for end users. > > Let me know your opinions on this as this is an area that really does > interest me for sure > > Hope everyone had a great Christmas and wanting to wish everyone a very happy > and prosperous new year! Under X11 there is little point in doing much, it was never designed with security in mind so things like key logging and screen grabbing can be done just using the native X11 API. If you think about what apps like synergy and gimp's color picker can do using native API's with no privileges you'll get a good idea. As such many things that would generally be a security issue in other software don't get heaps of time because you can probably do it using the API without an exploit anyway. Having said that there are certainly areas worth looking at, especially the binaries using suid bits to see if you can do any privilege escalation. Wayland also sandboxes apps much better so its probably worth looking there because anything you find would be worth while. -- Simon Lees (Simotek)http://simotek.net Emergency Update Team keybase.io/simotek SUSE Linux Adelaide Australia, UTC+10:30 GPG Fingerprint: 5B87 DB9D 88DC F606 E489 CEC5 0922 C246 02F0 014B signature.asc Description: OpenPGP digital signature ___ enlightenment-devel mailing list enlightenment-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
[E-devel] Hacking all aspects of enlightenment
Evening All, I have a question is there anyone working on ethically hacking all aspects of enlightenment. Reason I am asking is it might be a good idea to ensure enlightenment does not pose any issues from a security aspect for end users. Let me know your opinions on this as this is an area that really does interest me for sure Hope everyone had a great Christmas and wanting to wish everyone a very happy and prosperous new year! ___ enlightenment-devel mailing list enlightenment-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
