[conspire] Autorun in GNOME/Nautilus
Rick Moen
rick at linuxmafia.com
Tue Sep 27 15:34:39 PDT 2011
Quoting Ruben Safir (ruben at mrbrklyn.com):
> My opensuse distro is defaulted to Gnome and I've never seen it start
> any application automatically from a thumbdrive or a disk.
Further reading, and going back and consulting the FDO spec, reveals
that I missed an important sentence. So, I take back (and regret) that
comment.
The desktop environment MUST prompt the user for confirmation before
automatically starting an application.
http://standards.freedesktop.org/autostart-spec/autostart-spec-latest.html
(I really don't entirely like 'Is it OK to run some executable you've
never seen on a USB stick?' dialogues as a security solution, but must
admit that it's miles away from merely enabling autorun on mount.)
Nick is correct that the thumbnailers (of which there are several in a
typical GNOME setup, not just the one in Nautilus) are the juicier
target. Fortunately, I'm seeing signs that this is being recognised and
dealt with via AppArmor, position-independent executables (PIE),
software to use the No eXecute bit (PaX or Exec Shield), and address
space layout randomization (ASLR).
http://www.outflux.net/blog/archives/2011/02/11/shaping-the-direction-of-research/
More information about the conspire
mailing list