[conspire] Autorun in GNOME/Nautilus

Rick Moen rick at linuxmafia.com
Mon Sep 26 16:22:28 PDT 2011

Part of a conversation seen on LWN:

Trou.fr wrote:

A good rule to secure the admin's machines (apart from the secure
configuration of the machine itself) is to forbid any direct interaction
with dangerous sources : email, web. While this is cumbersome, this is
way safer.  Information from open sources can be shared via indirect
means : USB sticks, etc.

Lennie replied:

Funny you should mention USB sticks, that is exactly how StuxNet did it.

Also Linux is sometimes also vulnerable to autorun attacks:


So good luck with that ;-)

So, wait, I thought, did some idiot implement some bit of ignominous,
obviously dangerous stupidity like autorunning programs upon mounting of
volumes?  A brief check of the YouTube clip suggests it's exactly the
first people I'd suspect:  Freedesktop.org / GNOME.


  ...When a new medium is mounted and a) the medium does not contain an
  Autostart file or b) a policy to ignore Autostart files is in effect
  then the root directory of the medium should be checked for the
  following Autoopen files in order of precedence: .autoopen, autoopen .
  Only the first file that is present should be considered....

Wow.  Just wow.  These jackasses want to replicate on Linux/BSD _all_ the
most infamous security blunders Microsoft committed in the 1980s and 1990s.

It's easy to avoid GNOME brain-damage, but what worries me is that X.org
is in these people's hands.

More information about the conspire mailing list