Re: The truth about PSM and other XPI's

To: debian-user@lists.debian.org
Subject: Re: The truth about PSM and other XPI's
From: Ethan Benson <erbenson@alaska.net>
Date: Tue, 12 Dec 2000 20:19:35 -0900
Message-id: <[🔎] 20001212201935.G24531@plato.local.lan>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 20001212112905.B32318@sanctus.piman.yi.org>; from piman@sacredchao.net on Tue, Dec 12, 2000 at 11:29:05AM -0600
References: <[🔎] 20001212141220.A3854@proteus> <[🔎] 20001212112905.B32318@sanctus.piman.yi.org>

On Tue, Dec 12, 2000 at 11:29:05AM -0600, Joe piman Wreschnig wrote:
> On Tue, Dec 12, 2000 at 02:12:20PM -0300, Sebastian Silva wrote:
> > The thing is the default permissions for /usr/lib/mozilla are too tight.
> No, they're fine, Mozilla is just horrid about multiuser systems.

correct

> > Mi solution was simply to give it all the permissions it wants (of 
> > course
> > NOT setuid).
> This becomes a MAJOR MAJOR security risk; now anyone can install a trojan
> XPI file.

correct

> > Could somebody tell us what the right permissions are?
> 755 for the directory, 755 (for binaries/scripts/libraries) and 644 (for
> configuration files).

correct, except the libraries should be 644 not 755.  executing a
library only results in a core dump, its not necessary for libraries
to be executable.  see debian policy.  

> Mozilla unfortunately does not work well on multiuser systems. The Netscape
> engineers know this, and say instead to unpack it in every user's home
> directory. This is an equally bad solution.

installing in every user's home directory is at least not so much of a
security hole as making all the mozilla files mode 777.  but its a
inexcusable waste of space and a burden on the users who have to
maintain software installtions on thier own.  (or a massive burden on
the sysadmin to maintain X copies of the same program, where X ==
number of users.  totally unacceptable.  

> See http://bugzilla.mozilla.org/show_bug.cgi?id=41057. They liken installing
> XPI files to installing mod_perl (I'll let you judge the validity of comparing
> a web server module to a nearly mandatory end-user application).

i don't understand why this is not considered a release critical bug
of the highest priority.  the current state of mozilla is totally
unacceptable for any modern, secure, mulituser operating system.  even
NT and W2K suffer this design flaw.  but i guess netscape only cares
about win98...

> http://bugzilla.mozilla.org/show_bug.cgi?id=56429 is the same issue, but on
> Win2k.

i can see them ignoring *nix, but ignoring W2K seems like suicide.  

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

Attachment: pgpoiIP6AMTWt.pgp
Description: PGP signature

Reply to:

References:
- The truth about PSM and other XPI's
  - From: Sebastian Silva <seblitz@sebastian.cl>
- Re: The truth about PSM and other XPI's
  - From: "Joe \"piman\" Wreschnig" <piman@sacredchao.net>

Prev by Date: Re: HT configure an IDE/ATAPI ZIP drive?
Next by Date: Re: Relation(exim,fetchmail,mutt)=?
Previous by thread: Re: The truth about PSM and other XPI's
Next by thread: Re: The truth about PSM and other XPI's
Index(es):
- Date
- Thread