From owner-freebsd-security@FreeBSD.ORG Tue Jul 29 05:12:59 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DDD12106566B for ; Tue, 29 Jul 2008 05:12:59 +0000 (UTC) (envelope-from sziszi@bsd.hu) Received: from mail.rubicom.hu (mail.rubicom.hu [89.147.80.28]) by mx1.freebsd.org (Postfix) with ESMTP id 6EC6D8FC15 for ; Tue, 29 Jul 2008 05:12:59 +0000 (UTC) (envelope-from sziszi@bsd.hu) Received: from localhost ([127.0.0.1] helo=mail.rubicom.hu) by mail.rubicom.hu with smtp (Exim 4.63) (envelope-from ) id 1KNhW4-0006y6-Tm for freebsd-security@freebsd.org; Tue, 29 Jul 2008 07:12:56 +0200 Received: from ip5993549e.rubicom.hu ([89.147.84.158] helo=baranyfelhocske.buza.adamsfamily.xx) by mail.rubicom.hu with esmtp (Exim 4.63) (envelope-from ) id 1KNhVs-0006sk-4O for freebsd-security@freebsd.org; Tue, 29 Jul 2008 07:12:44 +0200 Received: from baranyfelhocske.buza.adamsfamily.xx (localhost [127.0.0.1]) by baranyfelhocske.buza.adamsfamily.xx (8.14.2/8.14.2) with ESMTP id m6T5Cf50002195 for ; Tue, 29 Jul 2008 07:12:41 +0200 (CEST) (envelope-from sziszi@bsd.hu) Received: (from sziszi@localhost) by baranyfelhocske.buza.adamsfamily.xx (8.14.2/8.14.2/Submit) id m6T5CfNa002194 for freebsd-security@freebsd.org; Tue, 29 Jul 2008 07:12:41 +0200 (CEST) (envelope-from sziszi@bsd.hu) X-Authentication-Warning: baranyfelhocske.buza.adamsfamily.xx: sziszi set sender to sziszi@bsd.hu using -f Date: Tue, 29 Jul 2008 07:12:41 +0200 From: Szilveszter Adam To: freebsd-security@freebsd.org Message-ID: <20080729051241.GA1995@baranyfelhocske.buza.adamsfamily.xx> References: <60254.1216921273@critter.freebsd.dk> <4888C882.30707@elischer.org> <200807242320.m6ONKPgW007279@apollo.backplane.com> <51095.192.168.1.10.1216955905.squirrel@192.168.1.100> <20080725045654.GA1572@baranyfelhocske.buza.adamsfamily.xx> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.18 (2008-05-17) Subject: Re: A new kind of security needed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jul 2008 05:13:00 -0000 On Mon, Jul 28, 2008 at 12:28:38PM -0700, Matt Reimer wrote: > My idea was to basically have a secure file picker that grants the app > (e.g. Firefox) access to the file, in a way that would be transparent > to the user. For example, when Firefox wants to save a PDF it displays > the file picker as usual and the file is saved. Underneath what's > happening is that Firefox talks to the trusted system filepicker via a > socket, and depending on the user's input it grants access to the > file, whether temporarily or permanently. > > If Firefox is using the standard GTK file picker, then only GTK would > need to be changed. Well, you have snipped the part of my message that deals with this: The mere idea of "trusted" system components is faulty. There is nothing on a standard PC that you can trust, when it comes down to it. Not even the hardware. Remember, if you can install a new application, a malware author can do the same. It only takes one hole in such a "trusted" service, and all of your machine is 0wned. There is a very long history of such disasters on Windows, where it is quite common to split software in two parts: one that runs with priviledge in the background as a service (you could say a daemon on Unix) and one that runs as the user and displays the GUI. Many anti-virus products work this way. There have been just too many cases when this design just blew up and led to a system compromise instead of just eg deleting all the jpg-s of the user. Security is a complex matter... -- Regards: Szilveszter ADAM Budapest Hungary