Re: [gentoo-user] RootCommand in blackbox
On Sat, Jan 31, 2004 at 12:51:42AM -0500, Andrey Kartashov wrote:
Hi, all!
I'm using blackbox wm and have noticed that the styles don't set the root
window background because the feature is disabled by the
epatch ${FILESDIR}/disable_rootcommand.patch
The warning message says:
ewarn RootCommand is now DISABLED to close a large
ewarn security hole.
I'm trying to think of an example that would exploit it and can't think of
any. Could someone, please, explain it to me?
I think that's an exercise left for the reader. Make sure you let us
know how you did it.
Regards,
Brian
--
Brian Richardson
Sun Certified Java Programmer
GnuPG Fingerprint 132E 867F 4E73 0607 A4AA 49A7 CB0D BCC9 DEC2 886C
Public Key available at http://www.cubik.ca/
--
[EMAIL PROTECTED] mailing list
Re: [gentoo-user] RootCommand in blackbox
On Sat, 2004-01-31 at 08:49, [EMAIL PROTECTED] wrote:
On Sat, Jan 31, 2004 at 12:51:42AM -0500, Andrey Kartashov wrote:
Hi, all!
I'm using blackbox wm and have noticed that the styles don't set the root
window background because the feature is disabled by the
epatch ${FILESDIR}/disable_rootcommand.patch
The warning message says:
ewarn RootCommand is now DISABLED to close a large
ewarn security hole.
I'm trying to think of an example that would exploit it and can't think of
any. Could someone, please, explain it to me?
I think that's an exercise left for the reader. Make sure you let us
know how you did it.
Regards,
Brian
I'm not sure if you still can, but you used to be able to have your
blackbox settings in your homedir too where you might have some funny
permissions.
--
[EMAIL PROTECTED] mailing list
Re: [gentoo-user] RootCommand in blackbox
On Sat, Jan 31, 2004 at 07:55:05AM +0100, LJN wrote:
On Sat, 2004-01-31 at 08:49, [EMAIL PROTECTED] wrote:
On Sat, Jan 31, 2004 at 12:51:42AM -0500, Andrey Kartashov wrote:
Hi, all!
I'm using blackbox wm and have noticed that the styles don't set the root
window background because the feature is disabled by the
epatch ${FILESDIR}/disable_rootcommand.patch
The warning message says:
ewarn RootCommand is now DISABLED to close a large
ewarn security hole.
I'm trying to think of an example that would exploit it and can't think of
any. Could someone, please, explain it to me?
I think that's an exercise left for the reader. Make sure you let us
know how you did it.
Regards,
Brian
I'm not sure if you still can, but you used to be able to have your
blackbox settings in your homedir too where you might have some funny
permissions.
Sorry, I still don't get it. Assuming I do have funny permissions on my home dir,
there are many other equally nasty ways to screw me up: modify my .bash* or
.xinitrc, anything in my ~/bin, read my .ssh/id_*, you get the idea.
IF I were to download random 'style' off the web and apply it, then it could be
dangerous
if someone put a malicious command in. But even this scenario is not substantially
different from downloading/executing any number of other programs/scripts.
I can't verify everything, so there are certain levels of trust.
I trust that the stuff I get when I 'emerge' package is not going to screw me up.
When on the other hand I come across some other 'useful' script on someone's web page,
I read it first before I execute it.
I would be perfectly happy if there were a 'USE' flag that turns this 'RootCommand' on.
This way one would be forced to read about it before enabling it and thus learn what
the consequences are.
--
- Andrey
~ In theory, practice and theory are the same,
but in practice they are different (Larry McVoy) ~
--
[EMAIL PROTECTED] mailing list
Re: [gentoo-user] RootCommand in blackbox
On Sat, 31 Jan 2004 12:34:31 -0500, Andrey Kartashov wrote:
On Sat, Jan 31, 2004 at 12:51:42AM -0500, Andrey Kartashov wrote:
I'm using blackbox wm and have noticed that the styles don't set
the root window background because the feature is disabled by
the
epatch ${FILESDIR}/disable_rootcommand.patch
The warning message says:
ewarn RootCommand is now DISABLED to close a large
ewarn security hole.
IF I were to download random 'style' off the web and apply it, then it
could be dangerous if someone put a malicious command in.
I'm pretty sure this is the only reason why it is patched out.
I trust that
the stuff I get when I 'emerge' package is not going to screw me up.
When on the other hand I come across some other 'useful' script on
someone's web page, I read it first before I execute it.
Just because you do that, doesn't mean everybody else does as well.
I would be perfectly happy if there were a 'USE' flag that turns this
'RootCommand' on. This way one would be forced to read about it before
enabling it and thus learn what the consequences are.
Yeah maybe. By the way, may I suggest you openbox (version 3 and up)
instead of blackbox? It has more deps and the themefile format isn't
compatible to blackbox anymore, but it's pretty fast and looks pretty
similiar to bb AND conforms to freedesktop.org standards. It doesn't
have a RootCommand though. :P If you try it, try obconf as well, to
configure the wm.
--
[EMAIL PROTECTED] mailing list
Re: [gentoo-user] RootCommand in blackbox
On Sat, Jan 31, 2004 at 08:05:21PM +0100, Alexander Futasz wrote: [skpd] I would be perfectly happy if there were a 'USE' flag that turns this 'RootCommand' on. This way one would be forced to read about it before enabling it and thus learn what the consequences are. Yeah maybe. By the way, may I suggest you openbox (version 3 and up) instead of blackbox? It has more deps and the themefile format isn't compatible to blackbox anymore, but it's pretty fast and looks pretty similiar to bb AND conforms to freedesktop.org standards. It doesn't have a RootCommand though. :P If you try it, try obconf as well, to configure the wm. Thanks, I'll give it a shot!:) -- - Andrey ~ In theory, practice and theory are the same, but in practice they are different (Larry McVoy) ~ -- [EMAIL PROTECTED] mailing list
[gentoo-user] RootCommand in blackbox
Hi, all!
I'm using blackbox wm and have noticed that the styles don't set the root
window background because the feature is disabled by the
epatch ${FILESDIR}/disable_rootcommand.patch
The warning message says:
ewarn RootCommand is now DISABLED to close a large
ewarn security hole.
I'm trying to think of an example that would exploit it and can't think of
any. Could someone, please, explain it to me?
Here is my logic: when I set a particular style using 'blackbox' menu it's
'style' file is read from /usr/share/commonbox/styles directory.
all the files in it look like
-rw-r--r--1 root root 3120 Jan 19 04:21 Twice
Why is it not to be trusted? How is it different from any other script owned
by 'r00t'?
Thanks.
--
- Andrey
~ In theory, practice and theory are the same,
but in practice they are different (Larry McVoy) ~
--
[EMAIL PROTECTED] mailing list
