Ian Malone <ibmalone@xxxxxxxxx> wrote: > 1. For example, a kiosk mode, where the home directory is wiped each > login would be made less secure. The profile for the GUI is set at > login, so writing .bash_profile has no effect on the GUI environment, > but an attacker able to place files where the user has write > permission could mask system binaries. I agree with Zbigniew about this case: The protection fails as soon as the user opens a terminal window. > 2. The fact that a proof of concept cannot be provided is not a proof > that a change you make is secure. Nobody said it was. And on the other hand: Somebody claiming that something is insecure, and claiming to have a proof of concept without showing it, is not a proof that there actually is a security problem. > So this repeated insistence on providing a > proof of concept before a security concern is taken seriously is > fundamentally wrong, and I would be concerned to see it applied > elsewhere in Fedora. I asked for a proof of concept only because Tomasz Kłoczko claimed to have one. I would otherwise be satisfied with a detailed description of an attack scenario that can be analyzed to see whether it holds water. I jumped into this debate because I couldn't stomach all the "It's insecure because handwaving." and "It's insecure because I've said so several times.". Björn Persson
Attachment:
pgpD04M37gJgV.pgp
Description: OpenPGP digital signatur
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/JO2GINHLQBTK5OBXLOFGTEH2T36BHGMR/
