On Tue, Apr 29, 2008 at 03:31:05PM -0400, Paul Fox wrote: > michael wrote: > > On Tue, Apr 29, 2008 at 02:54:15PM -0400, Paul Fox wrote: > > > michael wrote: > > > > Depends. Any software you run can write to your .xsession, yes? > > > > Afterward, will you really notice an extra instance of 'bash', or > > > > 'kdmgd', or some other nonsense running in the background, capturing > all > > > > your keystrokes, aliasing 'sudo', running 'xauth ++', setting up a > > > > spambot, or querying an IRC server for recent local root exploits? > > > > > > eek! time to retire. ;-) > > > > > > your point is well taken, but since any program i run manually > > > can also write to lots and lots of things that i run, or use as > > > config, > > > > On an XO running a recent build (including 703), almost all activities > > are prevented from writing to interesting places like .xsession. We just > > invent new uids and gids (user ids and group ids) for them on demand. > > Also, there's plenty left to do to help control the current exceptions. > > this paragraph is an argument that autostart is "okay" on the XO -- > not as dangerous as it is on my traditional workstation.
It suggests that we've made it a bit harder to scribble over the filesystem. There's plenty of nasty things that can still be done. One must also reflect upon what holes still lurk in the system. :) Also, I think my comment that extensible user-level autostart systems running software that touches data which arrived over a network cost more than you think (and more than they're worth in convenience) still stands. Thanks for the invigorating discussion, Michael _______________________________________________ Sugar mailing list [email protected] http://lists.laptop.org/listinfo/sugar
