#5657 NORM 8.2.0 (: Rainbow should check that loophole'd activities come from /usr/share/activities.

Zarro Boogs per Child bugtracker at laptop.org
Thu Aug 14 16:52:54 EDT 2008

#5657: Rainbow should check that loophole'd activities come from
   Reporter:  cscott  |       Owner:  homunq                                         
       Type:  defect  |      Status:  new                                            
   Priority:  normal  |   Milestone:  8.2.0 (was Update.2)                           
  Component:  sugar   |     Version:                                                 
 Resolution:          |    Keywords:  security rainbow-integration, r?, blocks?:8.2.0
Next_action:  review  |    Verified:  0                                              
  Blockedby:          |    Blocking:                                                 

Comment(by homunq):

 <homunq> sugar-toolkit does not install loopholed activities

 [07:58] <homunq> sugar refuses to add non ~/Activities to registry, except
 during initial registry setup.

 [07:59] <marcopg> ah

 [07:59] <marcopg> except the initial registry setup

 [08:02] <marcopg> let's say that we install activities in /usr/share

 [08:03] <marcopg> why do we need any of this patches?

 [08:04] <homunq> I am attacker. I want root.

 [08:04] <homunq> Two separate possible attacks:

 [08:04] <homunq> 1. I give you an .xo which claims to be Terminal
  even though it is named "FunFunFun"
 This attack is stopped by the sugar-toolkit patch.

 [08:06] <marcopg> ok though it doesn't really inform the user about what
 is going on

 [08:07] <homunq> I agree, my patch for 1 is very lacking in UI, but it is
 a stopgap for 8.2. I have a monster patch, which I posted to @sugar (there
 were two drafts - second draft is much better) which is how I think it
 should work long term

 [08:06] <homunq> 2. I give you an .xo which has, buried in a directory,
 another bundle which claims to be terminal. It asks activityregistry to
 register this second bundle, then tricks you into launching it somehow.
 this is stopped by the sugar patch.

Ticket URL: <http://dev.laptop.org/ticket/5657#comment:18>
One Laptop Per Child <http://laptop.org/>
OLPC bug tracking system

More information about the Bugs mailing list