From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dukecmmtar03.coxmail.com (dukecmmtar03.coxmail.com [68.99.120.44]) by speech.braille.uwo.ca (Postfix) with ESMTP id 1DFD910CFC for ; Thu, 22 Oct 2009 03:57:47 -0400 (EDT) Received: from dukecmimpo03.coxmail.com ([68.99.120.137]) by dukecmmtar03.coxmail.com (InterMail vM.7.05.02.00 201-2174-114-20060621) with ESMTP id <20091022073735.UBIU14504.dukecmmtar03.coxmail.com@dukecmimpo03.coxmail.com> for ; Thu, 22 Oct 2009 03:37:35 -0400 Received: from [192.168.0.100] ([70.166.17.50]) by dukecmimpo03.coxmail.com with bizsmtp id vjxm1c00314oyBJ01jxmMj; Thu, 22 Oct 2009 03:57:46 -0400 Message-ID: <4AE01077.7010607@baechler.net> Date: Thu, 22 Oct 2009 00:57:43 -0700 From: Tony Baechler User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.4pre) Gecko/20090915 Thunderbird/3.0b4 MIME-Version: 1.0 To: "Speakup is a screen review system for Linux." Subject: Re: clipboard integration -- possible security implications References: <20091020210034.GB32242@linux1> <4ADEC8D4.2040709@baechler.net> <20091021160241.GA16006@linux1> In-Reply-To: <20091021160241.GA16006@linux1> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: speakup@braille.uwo.ca X-Mailman-Version: 2.1.12 Precedence: list Reply-To: "Speakup is a screen review system for Linux." List-Id: "Speakup is a screen review system for Linux." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Oct 2009 07:57:47 -0000 Hi, Ah, of course. OK, we need something like mktemp. Can Speakup set environment variables? What about restricting it so that it can only write the clipboard under /tmp? What I'm thinking is that somehow a random filename needs to be generated and somehow the name has to be communicated to the user. By writing under /tmp, it avoids the /boot/vmlinuz problem that you outline but people could still create symlinks, so make it a random file that changes based on the ID of the logged in user. Put the name of that file in /sys/accessibility/speakup/clip. That creates an extra step for the user because they would have to open two files, first to find what the random file is and second to open the actual clipboard text, but that should be very secure. Obviously, the owner of both files would have to be the current user. If you can write to the environment, you could set a variable with the random filename which could be read by any shell script, again such as speakupconf or just "set" by itself. It could also be used in a script if someone wanted to copy it to a predictable name, in which case security would be their problem. On 10/21/2009 9:02 AM, William Hubbs wrote: > If another user logs in, they would need to have permission to access >> files under /home/tony to do any good. If they wanted to copy text to >> the clipboard, I would have to login as root and change the above >> location or they could use something like speakupconf. That way, no >> actual text would be stored under /sys at all from the clipboard. >> > > This idea leads to another issue. If your system is compromised, it > would be possible for someone to put something in the sys file like: > > /boot/vmlinuz > > and take your system down since the kernel could be directed to > overwrite any file in the filesystem. >