How to use rpm to install adobe-flash?

Joel Rees joel.rees at gmail.com
Wed Apr 13 12:56:48 UTC 2011


(I was hoping someone else would take the time to explain this.)

On Mon, Apr 11, 2011 at 12:42 PM, suvayu ali
<fatkasuvayu+linux at gmail.com> wrote:
> On Sun, Apr 10, 2011 at 7:04 PM, Joel Rees <joel.rees at gmail.com> wrote:
>> This is not to be mean to the other users. It's to protect the other
>> users from the vulnerabilities in flash. If flash is installed
>> globally (the usual thing that happens when you use the rpm package),
>> all users become vulnerable. Including that administrator account that
>> you never use to get on the web, except to fedoraproject.org and other
>> places where you need to read the manuals, etc.
>
> I don't think this is correct. Permissions for plugins are not setuid.

setuid is not really relavent to this particular question.

> So as long as the call to load the library is done as a regular user
> (as in, you don't surf the Internet as root),

Sure, you don't surf the web as root. I don't surf the web as root.
Nor do we surf the web as a user capable of raising privilege
temporarily via sudo.

And we always su (if we do use su to do administrative tasks) from
users that we never surf the web from, right? You understand why?

And we have a dedicated user for downloading live CD and install CD
images, Oracle's Java (if we need that) and (ahem) Adobe's Flash,
getting on-line to paypal or your bank, etc.

Right?

Does that explain why I'm saying you don't want Flash loading every
time you run your web browser as any user?

> vulnerabilities in the
> plugin can _only_ affect the regular user.

There are many paths to exploits besides things directly running in
the instance of the web server (with plugins) which you are currently
running. Tricks like leaving keyloggers and trojans behind, in places
where they get executed the next time you log in instead of now.

So a Flash exploit lets the bad guys leave a keylogger in your surfing
account. That's not good (and in some senses it's a ticking time
bomb), but at least it isn't as bad as it could be.

Joel Rees


More information about the users mailing list