Is it time to allow Chromium in Fedora?

Reindl Harald h.reindl at thelounge.net
Tue Aug 11 21:07:33 UTC 2015 


Am 11.08.2015 um 23:03 schrieb Mustafa Muhammad:
>
> On Aug 12, 2015 12:00 AM, "Mustafa Muhammad" <mustafa1024m at gmail.com
> <mailto:mustafa1024m at gmail.com>> wrote:
>  >
>  >
>  > On Aug 11, 2015 11:29 PM, "Reindl Harald" <h.reindl at thelounge.net
> <mailto:h.reindl at thelounge.net>> wrote:
>  > >
>  > >
>  > >
>  > > Am 11.08.2015 um 22:18 schrieb Mustafa Muhammad:
>  > >>
>  > >>  > If I knew Mozilla's Linux binaries provided its own update
> mechanism
>  > >>  > and notification, yes I would do exactly that.
>  > >>
>  > >> I am pretty sure they get updated just like Windows and OS X binaries,
>  > >> but the tar ball should be extracted in a user writable location
>  > >
>  > >
>  > > nonsense
>  > >
>  > > *if* you use binary tarballs they *should not* be extracted in a
> user writeable location as *no binary* whenever possible should have
> permissions allowing a ordinary user to change them
>  > >
>  > > they should be extracted to /usr/local/ with root-only
> write-permissions and you have to just start the application as root for
> updates - not only on Linux, on *any* operating system
>  > >
>  > > and since most users are not able to cope with this security
> principals package managers exists
>  > > _________________________________________
>  > >
>  > > http://www.tldp.org/HOWTO/Security-HOWTO/file-security.html
>  > >
>  > > World-writable files, particularly system files, can be a security
> hole if a cracker gains access to your system and modifies them.
> Additionally, world-writable directories are dangerous, since they allow
> a cracker to add or delete files as he wishes
>  >
>  > My home is not world writable.
>  > The way you pointed is the better way, of course, but I think even my
> simple way is better than waiting for package updates from the repos
> when an exploit is in the wild.
>
> By the way, running an application as root, even fit just updating it is
> dangerous

besides your home *is wolrd writable* when a remote xploit happens to a 
any application you are running do some simple calculation what is more 
likely to be exploited:

* your application running with your user all day long
   handling random input data from all over the web

* your application started once as root only for the
   purpose of install updates

if you don't realize the difference there is no help...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150811/f14b0193/attachment.sig>

More information about the devel mailing list