14.03.10, 19:47, âMarcus D. Hanwellâ marcus@cryos.org:
On Wednesday 10 March 2010 04:37:34 Konstantin Tokarev wrote:
AFAIK, on startup Avogadro loads any library from some directories.
Notably, on *nix it can load plugins form user-writable path
~/.avogadro/plugins. On Windows all pathes are often writable
If library is proper Avogadro plugin, it will be loaded anyway, and it can
execute any malicious code in constructor. It can be virus (do something
nasty with user-writable files), trojan horse (send something through
network). Virus developer donât have to code in assembler - all Qt stuff
is under his hand!
This is something we discussed at length - security versus extensibility.
Especially if users could just download Python scripts and run them in
Avogadro. How can they be sandboxed?
Python scripts are not dangerous: if itâs doing something nasty it could be easily detected (at least by people who know Python)
Binaries are black horses in this case.
I donât seriously think there is a thing
any of us can do to fix Windows⌠It is what it is, and users run it as they
wish.
The user writable directories were added so that new plugins did not have to
be installed in directories only root had access to.
Itâs very natural idea. Many applications (OOo, for example) allow to install plugins system wide or for current user
However, donât forget that any process user run has access to that directories
I do agree that having
Avogadro pop up a warning before loading a new plugin would be a good thing,
but it does need to be balanced with enabling users to extend Avogadro easily.
How it can harm extenibility? If warning is shown only first time,there will be no problem I think
I would prefer a system where we maintained the user writable directories, but
did not load the plugin without the users knowledge, whether that is a popup
or whatever. If you are worried about Avogadro loading things from user
writable directories, the user has more problems than thatâŚ
Of course, if user meaningly writes files to these directories, it couldnât be prevented. But 1)files canbe written by external malicious process 2)malicious plugin could be attached to ânormalâ as second library.
If an attacker
wished to they could alias âavogadroâ to whatever they wanted, including ârm -
rf /â and potentially delete all of the users dataâŚ
rm -rf /* canât be executed by user. Maximum is rm -rf $HOME/*
Erasing of data isnât actual for modern malware. Often itâs goal is to still something silently from user and pass through network
â
Regards,
Konstantin