#5657 NORM Never A: Rainbow should check that loophole'd activities come from /usr/share/activities.

Zarro Boogs per Child bugtracker at laptop.org
Sun Dec 23 18:41:22 EST 2007


#5657: Rainbow should check that loophole'd activities come from
/usr/share/activities.
---------------------------------+------------------------------------------
 Reporter:  cscott               |       Owner:  mstone        
     Type:  defect               |      Status:  new           
 Priority:  normal               |   Milestone:  Never Assigned
Component:  security             |     Version:                
 Keywords:  security, update.1?  |    Verified:  0             
 Blocking:                       |   Blockedby:                
---------------------------------+------------------------------------------
 Rainbow only checks the bundle_id to determine whether to disable
 containerization for an activity.  Rainbow should also check that the
 activity comes from /usr/share/activities; otherwise a kid could download
 some activity from the interweb which (invisibly) registers itself as
 LogViewer, and then can su to root and do all sorts of mischief.

 Requiring installation in /usr/share/activities substantially raises the
 barrier for this attack.

-- 
Ticket URL: <http://dev.laptop.org/ticket/5657>
One Laptop Per Child <http://dev.laptop.org>
OLPC bug tracking system



More information about the Bugs mailing list