[conspire] Autorun in GNOME/Nautilus

Ruben Safir ruben at mrbrklyn.com
Tue Sep 27 14:53:08 PDT 2011 

On Tue, Sep 27, 2011 at 02:32:19PM -0700, Rick Moen wrote:
> Quoting Nick Moffitt (nick at zork.net):
> 
> > To be fair, the autostart brainworms described here are pretty
> > universally disabled on any major OS.
> 
> I appreciate hearing this.  Because I recently loaded Ubuntu 11.10
> Oneiric Ocelot Beta 2 into a virtual machine out of curiosity, I
> attempted, this morning, to see if they _had_ disabled autostart.
> 
> Unfortunately, the inert blotchy mess that is the Unity desktop has at
> least temporarily defeated my efforts to investigate (i.e., I have no
> idea, yet, where in the hell are the controls), and apparently Beta 2
> doesn't default-provide GNOME Shell packages any more.  
> 
> I remain concerned about distro-packaged GNOME in at least the recent
> past, even if no longer.  I keep finding distro-specific pages like this
> one: http://wiki.debian.org/Gnome/nautilus_vs_gnome-volume-manager
> 
> ...not to mention this 2006 bug filed on package gnome-volume-manager
> complaining about _failure_ to autorun at mount time, and which was
> reported to be 'fixed' by down-revving the udev package.
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=348100
> 
> An Ubuntu bug also grappled with the issue in 2006, and waffled:
> https://bugs.launchpad.net/ubuntu/+source/gnome-volume-manager/+bug/8690
> 
> But 2006 is of course quite a while ago.  Apparently, g-v-m is now dead
> upstream and has been replaced by gio/gvfs and Nautilus automount.
> 
> Anyhow, I don't have time at the moment to test-install an entire
> current GNOME-based distro and check, so please tell me:  Are you saying
> that current distros have, via their security teams or otherwise, a
> policy of 'Please ignore the upstream Freedesktop.org / GNOME spec about
> autostart at mount time.  They're morons'?  (E.g., always require user 
> confirmation before autostart, which policy I've seen discussed.)
> 


My opensuse distro is defaulted to Gnome and I've never seen it start
any application automatically from a thumbdrive or a disk.

Ruben

> That would be certainly A Good Thing, but still amounts to quite an
> indictment of FDO.
> 
> > The autorun problem that *actually* exists is the image thumbnailer in
> > nautilus.  If you can generate a file that can exploit the thumbnailer
> > somehow, you have a path toward executing arbitrary code.
> 
> That's actually generic threat model against image viewers.  People need
> to be careful about what code they allow to handle public data, and
> image files are certainly no exception.  However, even though there's 
> been a history of people being able to craft Jpeg, png, gif, whatever
> images able to segfault handling software insufficiently good at
> anticipating aberrant input data, turning that into arbitrary code
> execution is orders of magnitude more difficult.
> 
> I'd actually be a lot more worried about lusers who insist on installing
> Adobe Acroread instead of using xpdf/Evince/Okular.  Acroread has inline
> Javascript enabled by default -- a bonus exploit mode on top of those
> furnished by standard Adobe bug-crafting.  
> 
> http://linuxmafia.com/faq/Apps/pdf-readers.html
> 
> _______________________________________________
> conspire mailing list
> conspire at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/conspire

-- 
http://www.mrbrklyn.com - Interesting Stuff
http://www.nylxs.com - Leadership Development in Free Software

So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world  - RI Safir 1998

http://fairuse.nylxs.com  DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002

"Yeah - I write Free Software...so SUE ME"

"The tremendous problem we face is that we are becoming sharecroppers to our own cultural heritage -- we need the ability to participate in our own society."

"> I'm an engineer. I choose the best tool for the job, politics be damned.<
You must be a stupid engineer then, because politcs and technology have been attached at the hip since the 1st dynasty in Ancient Egypt.  I guess you missed that one."

© Copyright for the Digital Millennium

More information about the conspire mailing list