On 19 November 2015 at 15:31, Adam Jackson <ajax@xxxxxxxxxx> wrote: > On Wed, 2015-11-18 at 21:45 +0000, Ian Malone wrote: > >> Not really getting this. For any configuration task where you replace >> editing a root owned text file with access through some authorised >> gui, that gui is still vulnerable. > > That gui's code, unlike emacs, doesn't allow you to write arbitrary > data to arbitrary files. I can feed arbitrary input events to an emacs > window and have it modify any file the process could modify. It's a > lot harder to get, say, virt-manager to write arbitrary data to > arbitrary places. > Harder, but you still have the permissions that the application has, whatever route it may be using to modify those files. Emacs (for example) while you are using it does not just access arbitrary files under normal operation unless instructed, an attacker needs to subvert it somehow. There are differences of course, but if an application has rights that allow it access to things then someone taking control of it can access them too. -- imalone http://ibmalone.blogspot.co.uk -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
