Bug#3189: nvi over-cautious about .exrc?

To: bruce@pixar.com (Bruce Perens), debian-bugs@pixar.com
Cc: Dave Holland <93djh2@eng.cam.ac.uk>
Subject: Bug#3189: nvi over-cautious about .exrc?
From: Ian Jackson <ian@chiark.chu.cam.ac.uk>
Date: Tue, 4 Jun 96 03:31 BST
Message-id: <[🔎] m0uQltg-0002YCC@chiark.chu.cam.ac.uk>
Reply-to: Ian Jackson <ian@chiark.chu.cam.ac.uk>, debian-bugs@pixar.com
In-reply-to: <[🔎] m0uQOzu-0005zFC@mongo.pixar.com>
References: <[🔎] m0uQOzu-0005zFC@mongo.pixar.com>

Bruce Perens writes ("Bug#3189: nvi over-cautious about .exrc?"):
> I think that's prudent. It would be simple enough to stick a trojan
> horse in the .exrc .

I disagree, strongly.

It is not the business of programs to check the permissions of the
dotfiles in users' home directories.

Firstly, this means that they are deciding my security policy for me,
which is not appropriate.  (And, as we see, it is causing problems
because Debian's default security policy and architecture is not
compatible with its ideas.)

Secondly, it is futile.  For every program which does this check there
will be dozens which don't; if someone has the opportunity to attack
these files they'll just do it to one of the other ones.

Ian.

Reply to:

Follow-Ups:
- Re: Bug#3189: nvi over-cautious about .exrc?
  - From: Bill Mitchell <mitchell@mdd.comm.mot.com>

References:
- Bug#3189: nvi over-cautious about .exrc?
  - From: bruce@pixar.com (Bruce Perens)

Prev by Date: Bug#3190: rlogin takes far too long when remote says Connection Refused
Next by Date: Bug#3183: permissions problems with /var/lib/games
Previous by thread: Bug#3189: nvi over-cautious about .exrc?
Next by thread: Re: Bug#3189: nvi over-cautious about .exrc?
Index(es):
- Date
- Thread