zlacker

[return to "The Linux Security Circus: On GUI isolation"]
1. doki_p+o6[view] [source] 2011-04-24 01:29:07
>>wglb+(OP)
This argument is nonsense. Any program you run can exec other programs and read files from your home directory. You can't simply run any program you feel like running. If it's not a well known and trusted program, then you'll need to look at the source.

Do people run root GUIs as a client? That seems silly to me. I don't have one single GUI program that I run as root unless I'm troubleshooting a permissions issue.

◧◩
2. virapt+1e[view] [source] 2011-04-24 08:54:22
>>doki_p+o6
> Do people run root GUIs as a client?

No, but that's where escalation comes in. You go to a page which uses javascript to take over your browser. Now your browser can capture and send back your shell password captured from the terminal window.

[go to top]