14.03.10, 19:47, “Marcus D. Hanwell” email@example.com:
On Wednesday 10 March 2010 04:37:34 Konstantin Tokarev wrote:
AFAIK, on startup Avogadro loads any library from some directories.
Notably, on *nix it can load plugins form user-writable path
~/.avogadro/plugins. On Windows all pathes are often writable
If library is proper Avogadro plugin, it will be loaded anyway, and it can
execute any malicious code in constructor. It can be virus (do something
nasty with user-writable files), trojan horse (send something through
network). Virus developer don’t have to code in assembler - all Qt stuff
is under his hand!
This is something we discussed at length - security versus extensibility.
Especially if users could just download Python scripts and run them in
Avogadro. How can they be sandboxed?
Python scripts are not dangerous: if it’s doing something nasty it could be easily detected (at least by people who know Python)
Binaries are black horses in this case.
I don’t seriously think there is a thing
any of us can do to fix Windows… It is what it is, and users run it as they
The user writable directories were added so that new plugins did not have to
be installed in directories only root had access to.
It’s very natural idea. Many applications (OOo, for example) allow to install plugins system wide or for current user
However, don’t forget that any process user run has access to that directories
I do agree that having
Avogadro pop up a warning before loading a new plugin would be a good thing,
but it does need to be balanced with enabling users to extend Avogadro easily.
How it can harm extenibility? If warning is shown only first time,there will be no problem I think
I would prefer a system where we maintained the user writable directories, but
did not load the plugin without the users knowledge, whether that is a popup
or whatever. If you are worried about Avogadro loading things from user
writable directories, the user has more problems than that…
Of course, if user meaningly writes files to these directories, it couldn’t be prevented. But 1)files canbe written by external malicious process 2)malicious plugin could be attached to ‘normal’ as second library.
If an attacker
wished to they could alias ‘avogadro’ to whatever they wanted, including ‘rm -
rf /’ and potentially delete all of the users data…
rm -rf /* can’t be executed by user. Maximum is rm -rf $HOME/*
Erasing of data isn’t actual for modern malware. Often it’s goal is to still something silently from user and pass through network