#5657 NORM 8.2.0 (: Rainbow should check that loophole'd activities come from /usr/share/activities.

Zarro Boogs per Child bugtracker at laptop.org
Thu Aug 14 16:52:54 EDT 2008 

#5657: Rainbow should check that loophole'd activities come from
/usr/share/activities.
----------------------+-----------------------------------------------------
   Reporter:  cscott  |       Owner:  homunq                                         
       Type:  defect  |      Status:  new                                            
   Priority:  normal  |   Milestone:  8.2.0 (was Update.2)                           
  Component:  sugar   |     Version:                                                 
 Resolution:          |    Keywords:  security rainbow-integration, r?, blocks?:8.2.0
Next_action:  review  |    Verified:  0                                              
  Blockedby:          |    Blocking:                                                 
----------------------+-----------------------------------------------------

Comment(by homunq):

 <homunq> sugar-toolkit does not install loopholed activities
 (activitybundle.py)

 [07:58] <homunq> sugar refuses to add non ~/Activities to registry, except
 during initial registry setup.

 [07:59] <marcopg> ah

 [07:59] <marcopg> except the initial registry setup
 ...

 [08:02] <marcopg> let's say that we install activities in /usr/share

 [08:03] <marcopg> why do we need any of this patches?

 [08:04] <homunq> I am attacker. I want root.

 [08:04] <homunq> Two separate possible attacks:

 [08:04] <homunq> 1. I give you an .xo which claims to be Terminal
  even though it is named "FunFunFun"
 This attack is stopped by the sugar-toolkit patch.

 [08:06] <marcopg> ok though it doesn't really inform the user about what
 is going on

 [08:07] <homunq> I agree, my patch for 1 is very lacking in UI, but it is
 a stopgap for 8.2. I have a monster patch, which I posted to @sugar (there
 were two drafts - second draft is much better) which is how I think it
 should work long term

 [08:06] <homunq> 2. I give you an .xo which has, buried in a directory,
 another bundle which claims to be terminal. It asks activityregistry to
 register this second bundle, then tricks you into launching it somehow.
 this is stopped by the sugar patch.

-- 
Ticket URL: <http://dev.laptop.org/ticket/5657#comment:18>
One Laptop Per Child <http://laptop.org/>
OLPC bug tracking system

More information about the Bugs mailing list