[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Gnash-dev] Building extensions
From: |
Martin Guy |
Subject: |
[Gnash-dev] Building extensions |
Date: |
Thu, 26 Apr 2007 15:55:30 +0100 |
2007/4/25, Rob Savoye <address@hidden>:
One easy tweak would be to change the user to something like nobody
Not without setuiding the binary, which doesn't sound like the path to security.
Anyway the single-user-operating-system version can't do this, and 87%
of systems on the net are such.
The only one to worry about is the FileIO extension
As a user I wouldn't want *any* extensions enabled that write to the
environment unless I were running one specific Flash movie with known
contents (i.e. that I had written myself or got from someone I trust).
I wouldn't want random flash movies having access to mysql, nor have
to security-audit every future extension - that sounds like a sure way
to have endless new security holes forever.
How about disabling all extensions at runtime, unless they are
explicitly turned on, such as by a runtime flag like
--enable-extensions=fileio[,...]?
I would have said "or by config file or by menu-preferences" but now I
wonder whether Gnash-specific extensions can always be disabled in the
browser plugin.
That would also avoid the appearance on the web of Flash movies that
only work with Gnash (so we do not end up looking like the new
Microsoft breaking existing web standards) while allowing applications
that use a known movie or movies to do whatever they please. They just
need bundle (or depend on) gnash and supply a wrapper program to
launch it enabling whatever they need.
Would that do all we need?
M
- [Gnash-dev] Building extensions, Udo Giacomozzi, 2007/04/24
- Re: [Gnash-dev] Building extensions, Rob Savoye, 2007/04/24
- Re: [Gnash-dev] Building extensions, strk, 2007/04/25
- Message not available
- Re: [Gnash-dev] Building extensions, Rob Savoye, 2007/04/26
- [Gnash-dev] Building in security, Eric Hughes, 2007/04/26
- Re: [Gnash-dev] Building in security, Rob Savoye, 2007/04/26
- Re: [Gnash-dev] Building in security, Martin Guy, 2007/04/26
- Re: [Gnash-dev] Building in security, Rob Savoye, 2007/04/26
- Re: [Gnash-dev] Building in security, Eric Hughes, 2007/04/26
- Re: [Gnash-dev] Building in security, Eric Hughes, 2007/04/26
- Re: [Gnash-dev] Building extensions, Martin Guy, 2007/04/26
- Re: [Gnash-dev] Building extensions, Rob Savoye, 2007/04/26
- Re: [Gnash-dev] Building extensions, strk, 2007/04/26