Re: risks of using net apps as a user in wheel or adm?

To: debian-user@lists.debian.org
Subject: Re: risks of using net apps as a user in wheel or adm?
From: Joe <joe@jretrading.com>
Date: Fri, 02 Nov 2007 21:29:51 +0000
Message-id: <[🔎] fgg4sf$d82$1$8302bc10@news.demon.co.uk>
In-reply-to: <9l9Ba-1GI-15@gated-at.bofh.it>
References: <[🔎] 20071102171958.GB7681@titan.hooton>

Douglas A. Tutty wrote:

This is a more general question to an issue that came up in another
thread.

Not to single out Iceweasel but, for example, IIUC, javascript and

flashplayer end up running someone else's code on your computer as you.

What are the security implications of this?  What could a malicious
flash or piece of javascript really do you files in your home directory?

What are the security implications of this if you are also a member of
group wheel, adm, or staff?

As for my home directory, of course it has security-sensitve info:
health info, passwords, and other private documents.

Should I have a separate user setup for just running a javascript- and
flash-enabled web browser?


I would, but see below.


I know that any software can have bugs, but I think that software that
has to keep up with features to be useable (e.g. a browser) is more
likely to be at risk of unknown exploits than more feature-stable
net-apps such as mutt, exim, ftp, or rsync.

No doubt about that, though I don't think there's any way to quantify oreven guess the risk, other than by saying 'less is better'.Unfortunately, cross-platform content also implies cross-platformmalware. We can't just rely on not being Windows users, and I suspectthat all 'technologies' are capable of much more harm than theirinventors intended. We now have PDF malware. The bad guys are just plainmore inventive.

I can do most of what I need with Iceweasel without flash and withNo-Script, and I'm not a member of any useful security groups. I readsecure logs with a sudo-ed mc in a terminal. I'd rate my paranoia as atleast 90% of the theoretical 'pull-all-the-plugs-out' maximum. But thenI've also run various versions of Windows for more than ten years,mostly without AV, without ever picking up anything unwanted, so it doeshelp.

There's just no safe way of running other peoples' software on yourmachine. Microsoft Update and apt-get are probably as close as you get,and I wouldn't bet a large amount of money that either is 100% safe. Oneday MU will get hacked, and the whole world will collapse.

Reply to:

Follow-Ups:
- Re: risks of using net apps as a user in wheel or adm?
  - From: Andrew Sackville-West <andrew@farwestbilliards.com>

References:
- risks of using net apps as a user in wheel or adm?
  - From: "Douglas A. Tutty" <dtutty@porchlight.ca>

Prev by Date: Re: resolv.conf question
Next by Date: scantv in etch says " fails to open /dev/vbi" No such file
Previous by thread: Re: risks of using net apps as a user in wheel or adm?
Next by thread: Re: risks of using net apps as a user in wheel or adm?
Index(es):
- Date
- Thread