Re: flashplugin-nonfree get-upstream-version.pl security concern

[Jordon Bedwell <jordon@envygeeks.com>]

On Thu, Dec 13, 2012 at 1:47 PM, Davide Prina <davide.prina@gmail.com> wrote:
> On 12/12/2012 23:26, Michael Gilbert wrote:
>> Ultimately, for anyone even modestly
>> security-conscious adobe flash should really be avoided at all costs.
> +1
> I'm not an expert, but I think that packages like this must first ask the
> users list on which you want this plugin installed and than execute scripts
> only for those users as user not root with, for example, su -c USER1
> "script.sh" ... (downloading the file [with ugo+r] in /tmp/RANDOMDIR [with
> ugo+x] only once).

Why does the group and other need access again? Even if it's read only
you are still introducing fatal security problem indirectly by
promoting the usage of global read.

> Also I think that these packages must alert the user that they will download
> somethings from a website and ask for a confirmation to continue (I don't
> know if it is already implemented).