Frank Worsley | 2 Nov 05:25 2003
Picon

Re: advanced nautilus usage

AFAIK, launchers from remote locations are not started since it's a
possible security issue.

- Frank

> Hi All,
>
>         I  run 'nautilus ssh://uid <at> remotehost:/opt/scripts', which
> works fine. This folder contains launchers (app.desktop), which
> intend to start all kind of applications. It doesn't work :-(
> Why? Am I missing something obvious? I run nautilus 2.2.4 on
> Debian Woody + testing (Gnome 2.2).
>
> Sincerely,
>
> Jan.
>
> --
> nautilus-list mailing list
> nautilus-list <at> gnome.org
> http://mail.gnome.org/mailman/listinfo/nautilus-list
>

--

-- 
nautilus-list mailing list
nautilus-list <at> gnome.org
http://mail.gnome.org/mailman/listinfo/nautilus-list

John Smith | 2 Nov 10:38 2003
Picon

Re: advanced nautilus usage

On Sun, 2003-11-02 at 05:25, Frank Worsley wrote:
> AFAIK, launchers from remote locations are not started since it's a
> possible security issue.
> 
> - Frank
> 
> > Hi All,
> >
> >         I  run 'nautilus ssh://uid <at> remotehost:/opt/scripts', which
> > works fine. This folder contains launchers (app.desktop), which
> > intend to start all kind of applications. It doesn't work :-(
> > Why? Am I missing something obvious? I run nautilus 2.2.4 on
> > Debian Woody + testing (Gnome 2.2).
> >
> > Sincerely,
> >
> > Jan.
> >
> > --
> > nautilus-list mailing list
> > nautilus-list <at> gnome.org
> > http://mail.gnome.org/mailman/listinfo/nautilus-list
> >
> 
Sorry Frank,

	I don't think that's valid: I'm using ssh. BTW, if I start
'ssh remotehost nautilus' go to 'applications:///Accessories' and
click Calculator, it works as expected. So why do regular (ie. menu
placed apps) work as expected and manually created launchers don't?
(Continue reading)

Jens Ansorg | 2 Nov 17:56 2003
Picon

issue with browsing SMB in nautilus

using gnome-2.4 I have an issue with browsing smb shares in nautilus. 
I tried shares on the same machine (the linux server) and on a win2k.
I can access those shares with other apps, i.e. the SMB Browser that
comes with xfce4.

When I try 
#nautilus smb:

I get the error 
Sorry, couldn't display all the contents of "smb:///".

on the console I get

do_open_directory() smb:///
do_open_directory() smb://
LOCK
do_get_file_info() smb:///
do_is_local(): smb:///
do_is_local(): smb:///
do_is_local(): smb:///
do_is_local(): smb:///
do_is_local(): smb:///
do_is_local(): smb:///
do_is_local(): smb:///
do_is_local(): smb:///
do_is_local(): smb:///
do_is_local(): smb:///
do_is_local(): smb:///
do_is_local(): smb:///
do_is_local(): smb:///
(Continue reading)

Zhiyuan Liu | 3 Nov 03:51 2003
Picon

any ideas about the pop menu for treeview component?

Hi, everybody
I'am thinking about adding  the pop menu for treeview component.
this feature enhancement is necessary for a perfect file manager.
Has someone started the work?
 
Jens Ansorg | 3 Nov 19:01 2003
Picon

Re: issue with browsing SMB in nautilus

On Sun, 2003-11-02 at 17:56, Jens Ansorg wrote:
> using gnome-2.4 I have an issue with browsing smb shares in nautilus. 
> I tried shares on the same machine (the linux server) and on a win2k.
> I can access those shares with other apps, i.e. the SMB Browser that
> comes with xfce4.

update:
interestingly it kind of works on another machine, my Notebook that has
the same Gentoo-Linux with Gnome-2.4. There at least I can browse the
network and access some folders; though at the second level it fails to
show the content of folders

And I cannot figure out what might be different between the two
machines. Any hint where to search greatly appreciated.

thanks

-- 
Jens Ansorg <liste <at> ja-web.de>

--

-- 
nautilus-list mailing list
nautilus-list <at> gnome.org
http://mail.gnome.org/mailman/listinfo/nautilus-list

Steven G. Johnson | 4 Nov 03:26 2003
Picon

head off email viruses: distinguishing documents from executables?

As usual, I have been getting lots of MS email viruses on my GNU/Linux
email account.  Occasionally, however, instead of trashing them, I marvel
at the evil social engineering that goes into them, and I think about how
a similar attack might be aimed at other systems, e.g. Linux.

One of the tricks seems to be to attach a .zip file of something that
purports to be a document, but is actually an executable (readme.doc.scr),
combined with an email ("Read this for our meeting tomorrow") that tricks
the user into opening it.  One could conceivably do a similar trick with
Linux (attaching a .tar.gz).

The basic problem is this: simply *reading* a file, no matter whom it is
from, *should* always be safe...at least there is no technical reason it
can't be, and this is what people expect from the real-world metaphor.
But, of course, with MS, you open a document and launch an executable in
the same way (double-click).  Similarly on a Mac.  And similarly (last I
checked, admittedly a long time ago) with GNOME.  The only exception is
the command line.  How does Nautilus handle this?

As a basic safety feature, when you double-click on an executable file,
before you execute it you might pop up a dialog saying "This is an
executable program, not a document, and it may run arbitrary commands; are
you sure you want to launch it?" (with a check box to disable the warning
for *that file* in the future).  By default, you may even want to disable
click-to-run executables entirely, except for specially-created desktop
shortcuts, since most people only need to launch executables from the
menu, by drag-and-drop, or by double-clicking an associated document.

Sorry to bother you if you've already thought about this, but I figured it
wouldn't hurt to be pro-active.
(Continue reading)

Carlos Perelló Marín | 4 Nov 11:22 2003
Picon

Re: head off email viruses: distinguishing documents from executables?

El mar, 04-11-2003 a las 03:26, Steven G. Johnson escribió:
> As usual, I have been getting lots of MS email viruses on my GNU/Linux
> email account.  Occasionally, however, instead of trashing them, I marvel
> at the evil social engineering that goes into them, and I think about how
> a similar attack might be aimed at other systems, e.g. Linux.
> 
> One of the tricks seems to be to attach a .zip file of something that
> purports to be a document, but is actually an executable (readme.doc.scr),
> combined with an email ("Read this for our meeting tomorrow") that tricks
> the user into opening it.  One could conceivably do a similar trick with
> Linux (attaching a .tar.gz).

The main difference between Linux and Windows is that you must give the
execution flag to that file so it will never be executed until you allow
it.

Nautilus just open the file with an application but NEVER executes a
file if it cannot be executed.

> 
> The basic problem is this: simply *reading* a file, no matter whom it is
> from, *should* always be safe...at least there is no technical reason it
> can't be, and this is what people expect from the real-world metaphor.
> But, of course, with MS, you open a document and launch an executable in
> the same way (double-click).  Similarly on a Mac.  And similarly (last I
> checked, admittedly a long time ago) with GNOME.  The only exception is
> the command line.  How does Nautilus handle this?

If you give a file the execution flag, it's because you want execute
that file. The problem is yours if that file is a virus...
(Continue reading)

Julien Olivier | 4 Nov 11:24 2003

Re: head off email viruses: distinguishing documents from executables?

On Tue, 2003-11-04 at 02:26, Steven G. Johnson wrote:
> As usual, I have been getting lots of MS email viruses on my GNU/Linux
> email account.  Occasionally, however, instead of trashing them, I marvel
> at the evil social engineering that goes into them, and I think about how
> a similar attack might be aimed at other systems, e.g. Linux.
> 
> One of the tricks seems to be to attach a .zip file of something that
> purports to be a document, but is actually an executable (readme.doc.scr),
> combined with an email ("Read this for our meeting tomorrow") that tricks
> the user into opening it.  One could conceivably do a similar trick with
> Linux (attaching a .tar.gz).
> 
> The basic problem is this: simply *reading* a file, no matter whom it is
> from, *should* always be safe...at least there is no technical reason it
> can't be, and this is what people expect from the real-world metaphor.
> But, of course, with MS, you open a document and launch an executable in
> the same way (double-click).  Similarly on a Mac.  And similarly (last I
> checked, admittedly a long time ago) with GNOME.  The only exception is
> the command line.  How does Nautilus handle this?
> 
> As a basic safety feature, when you double-click on an executable file,
> before you execute it you might pop up a dialog saying "This is an
> executable program, not a document, and it may run arbitrary commands; are
> you sure you want to launch it?" (with a check box to disable the warning
> for *that file* in the future).  By default, you may even want to disable
> click-to-run executables entirely, except for specially-created desktop
> shortcuts, since most people only need to launch executables from the
> menu, by drag-and-drop, or by double-clicking an associated document.
> 
> Sorry to bother you if you've already thought about this, but I figured it
(Continue reading)

Fabio Gomes de Souza | 4 Nov 13:16 2003
Picon

Re: head off email viruses: distinguishing documents from executables?


Carlos Perelló Marín wrote:

> 
> The main difference between Linux and Windows is that you must give the
> execution flag to that file so it will never be executed until you allow
> it.

Hmm. When we untar an archive, its files may already come with the 
executable flag set.

IMHO, what we should do about GNOME desktop security is make sure it 
ALWAYS behaves this way.

Some important things to mention in future development are:

- Default (factory) file associations: Nautilus should never come with 
built-in file associations to script interpreters, say:
	- .pl to /usr/bin/perl
	- .php to /usr/bin/php
	- .sh to /bin/bash
	- .py to /usr/bin/python
and so on. This list should be extended to every file association that 
could lead to execution of arbitrary commands. The work of choosing an 
interpreter must be left to the kernel and the shell. While this not 
kills the entire problem (ie.: some apps have buffer overflows when 
processing documents), it's a nice beginning.

If the user wants to make these associations by hand, it's his problem.

(Continue reading)

Carlos Perelló Marín | 4 Nov 13:42 2003
Picon

Re: head off email viruses: distinguishing documents from executables?

El mar, 04-11-2003 a las 13:16, Fabio Gomes de Souza escribió:
> Carlos Perelló Marín wrote:
> 
> > 
> > The main difference between Linux and Windows is that you must give the
> > execution flag to that file so it will never be executed until you allow
> > it.
> 
> Hmm. When we untar an archive, its files may already come with the 
> executable flag set.

True, but you should untar it before you can execute it. "The GNOME way"
to open that tar (file-roller) will not let you execute it, only view
the files. We should help the user, but prevent for execute files that
he/she wants to execute...

> 
> IMHO, what we should do about GNOME desktop security is make sure it 
> ALWAYS behaves this way.
> 
> Some important things to mention in future development are:
> 
> - Default (factory) file associations: Nautilus should never come with 
> built-in file associations to script interpreters, say:
> 	- .pl to /usr/bin/perl
> 	- .php to /usr/bin/php
> 	- .sh to /bin/bash
> 	- .py to /usr/bin/python
> and so on. This list should be extended to every file association that 
> could lead to execution of arbitrary commands. The work of choosing an 
(Continue reading)


Gmane