Good point, I think the Portland project could come up with a command that should be used to add things to the autostart folder. The issue is similar to applications registering themselves as the default application for a certain file type.
Cheers, Waldo On Tuesday 21 February 2006 15:35, Mike Hearn wrote: > One thing that's worth considering here is security - on Windows the > ability for apps to register themselves as auto-startable in many > different places has been an attack vector for malware. > > Right now Linux is in the same situation, you could make an app auto-start > by abusing: > > - session management > - various $HOME dotfiles (.xsession, .profile ?) > - gnome/kde specific mechanisms for this > - and now this spec > > It's legitimate for apps to auto-start themselves at login time, but it > needs to be carefully controlled so apps cannot do it without the user > knowing. > > Obviously if an app is installed as root via RPM or whatever then it's > game over. But it's possible for malware to be installed via other routes: > browser/email exploits, running saved attachments, whatever. And actually > on Windows that's often what happens. > > Frameworks like SELinux or AppArmor can help prevent this - if only a > certain program, say /usr/bin/register-autostart can write to > ~/.config/autostart and no other programs run with regular user privs can, > then this register-autostart program can pop up a GUI saying "Do you > really want $XYZ program to auto-start? Yes/No" giving users a chance to > veto this request. OK it may not help /much/ but it might help a bit. > > Adapting the spec to have this wouldn't be hard, just say that apps > are not allowed to write directly to ~/.config/autostart, and that if they > wish to register/unregister autostart after the fact (from their prefs > window for instance) they must do it via a command line app. > > Anyway it's worth considering this sort of approach for future specs as > well. Routing configuration tasks via a program could help fend off > malware in future. > > thanks -mike > > _______________________________________________ > xdg mailing list > [email protected] > http://lists.freedesktop.org/mailman/listinfo/xdg -- Linux Client Architect - Channel Platform Solutions Group - Intel Corporation
pgpasBKrXE3t6.pgp
Description: PGP signature
_______________________________________________ xdg mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/xdg
