[Gnash-dev] Building extensions

[Martin Guy]

2007/4/25, Rob Savoye <address@hidden>:
> One easy tweak would be to change the user to something like nobody

Not without setuiding the binary, which doesn't sound like the path to security.
Anyway the single-user-operating-system version can't do this, and 87%
of systems on the net are such.

>   The only one to worry about is the FileIO extension

As a user I wouldn't want *any* extensions enabled that write to the
environment unless I were running one specific Flash movie with known
contents (i.e. that I had written myself or got from someone I trust).
I wouldn't want random flash movies having access to mysql, nor have
to security-audit every future extension - that sounds like a sure way
to have endless new security holes forever.

How about disabling all extensions at runtime, unless they are
explicitly turned on, such as by a runtime flag like
--enable-extensions=fileio[,...]?

I would have said "or by config file or by menu-preferences" but now I
wonder whether Gnash-specific extensions can always be disabled in the
browser plugin.

That would also avoid the appearance on the web of Flash movies that
only work with Gnash (so we do not end up looking like the new
Microsoft breaking existing web standards) while allowing applications
that use a known movie or movies to do whatever they please. They just
need bundle (or depend on) gnash and supply a wrapper program to
launch it enabling whatever they need.

Would that do all we need?

   M