[conspire] Autorun in GNOME/Nautilus
Rick Moen
rick at linuxmafia.com
Mon Sep 26 16:22:28 PDT 2011
Part of a conversation seen on LWN:
Trou.fr wrote:
A good rule to secure the admin's machines (apart from the secure
configuration of the machine itself) is to forbid any direct interaction
with dangerous sources : email, web. While this is cumbersome, this is
way safer. Information from open sources can be shared via indirect
means : USB sticks, etc.
Lennie replied:
Funny you should mention USB sticks, that is exactly how StuxNet did it.
Also Linux is sometimes also vulnerable to autorun attacks:
http://www.youtube.com/watch?v=ovfYBa1EHm4
So good luck with that ;-)
So, wait, I thought, did some idiot implement some bit of ignominous,
obviously dangerous stupidity like autorunning programs upon mounting of
volumes? A brief check of the YouTube clip suggests it's exactly the
first people I'd suspect: Freedesktop.org / GNOME.
http://standards.freedesktop.org/autostart-spec/autostart-spec-latest.html
...When a new medium is mounted and a) the medium does not contain an
Autostart file or b) a policy to ignore Autostart files is in effect
then the root directory of the medium should be checked for the
following Autoopen files in order of precedence: .autoopen, autoopen .
Only the first file that is present should be considered....
Wow. Just wow. These jackasses want to replicate on Linux/BSD _all_ the
most infamous security blunders Microsoft committed in the 1980s and 1990s.
It's easy to avoid GNOME brain-damage, but what worries me is that X.org
is in these people's hands.
More information about the conspire
mailing list