Policies
|
Size: 680
Comment:
|
Size: 2298
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 9: | Line 9: |
| * pending | There is currently a lack of consistency on the Ubuntu desktop regarding the handling of downloaded content which has to be executed to be useful. Some content is executed automatically, some is not handled at all. Security and ease-of-use need to be balanced, and a consistent policy developed, that can guide development of MIME handlers in Ubuntu. === Principles === * MIME handlers should not ever run executable code * does this cause Java Web Start to fail? * files that are executables, and have the executable bit set, should be handled via the kernel (binfmt-misc) - not via MIME * this includes application-specific macros: vim macros, OOo macros, ... * this also includes desktop files in some cases! * Files downloaded from a web browser, mail client, etc. should never be saved as executable * executable code that is not marked executable: * do not provide a workaround to run them anyway automatically - i.e., never juxtapose <long explanatory text> with <easy button that bypasses the text> === Goals === * Programs that download executables from the internet should mark them with extended attributes saying where they're from, when, and what user, as well as not marked +x The error message when trying to open an executable file should: * explain why this may be a dangerous file * tell you how to change its permissions * not give you the option of launching it anyway * maybe give you the option of looking for trusted software instead * CDROMs: CDs without Rock Ridge extensions have all files marked executable, so this doesn't block this (same with USB sticks). |
No Open Ports
Default installations of Ubuntu must have no listening network services after initial install. Exceptions to this rule include network infrastructure services such as DHCP and Avahi. When installing Ubuntu Server, the administrator can, of course, select specific services to install beyond the defaults (e.g. Apache).
Executable code does not run without execute bit
There is currently a lack of consistency on the Ubuntu desktop regarding the handling of downloaded content which has to be executed to be useful. Some content is executed automatically, some is not handled at all. Security and ease-of-use need to be balanced, and a consistent policy developed, that can guide development of MIME handlers in Ubuntu.
Principles
- MIME handlers should not ever run executable code
- does this cause Java Web Start to fail?
- files that are executables, and have the executable bit set, should be handled via the kernel (binfmt-misc) - not via MIME
- this includes application-specific macros: vim macros, OOo macros, ...
- this also includes desktop files in some cases!
- Files downloaded from a web browser, mail client, etc. should never be saved as executable
- executable code that is not marked executable:
do not provide a workaround to run them anyway automatically - i.e., never juxtapose <long explanatory text> with <easy button that bypasses the text>
Goals
- Programs that download executables from the internet should mark them with extended attributes saying where they're from, when, and what user, as well as not marked +x
The error message when trying to open an executable file should:
- explain why this may be a dangerous file
- tell you how to change its permissions
- not give you the option of launching it anyway
- maybe give you the option of looking for trusted software instead
- CDROMs: CDs without Rock Ridge extensions have all files marked executable, so this doesn't block this (same with USB sticks).
SecurityTeam/Policies (last edited 2021-02-01 00:43:57 by alexmurray)