FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 06-12-2011, 11:14 PM
 
Default Re (2): Configuring Iceweasel security policies.

From: Scott Ferguson <prettyfly.productions@gmail.com>
Date: Sun, 12 Jun 2011 20:20:17 +1000
> Stepping through what you've described above...
>
> You are on a Dalton console.

By console I mean the SVGA monitor, keyboard and mouse. It supports X11
in addition to plain CLI.

> If you are *not* running as root (and why would you be?)

Correct. User peter.

> You saved the page to "storage of Dalton".... presumably "storage" is
> somewhere below /home/peter....
>
> eg.:-
> home/peter/"Peter Lyall Easthope.html"

Here I stored it as /home/peter/Desktop/index.html. The choice of name
doesn't change the phenomenon being demonstrated.

We're dealing with two pages. There is the "primary" page containing
the Web link. Then there is the page Category2.html which is target of
the link in the primary page. Category2.html is always local. I can
open Category2.html when the primary page is local. Not when the primary
page is remote.

> You then say that the link works (I don't disbelieve you)- but that link
> is pointing at the root of Dalton, not the root of Peters home directory....
> So "something" I'm assuming in the above scenario is not correct.

Yes. There is a filesystem soft link as we discussed a day or two back.
peter@joule:~$ sudo ln -s /home/peter/Category2.html /Category2.html
peter@joule:~$ ls -l /C*
lrwxrwxrwx 1 root root 23 Jun 12 13:16 /Category2.html -> /home/peter/Category2.html
The filesystem and the Web both having "links" is a possible source of
confusion.

> Just to clarify:-
> When you click on a http link in a html page the link is "relative" to
> the web server.
> ...
> Because the browser replaces "file" with localhost, which renders the
> URI /"Peter Lyall Easthope.html" (damn absolute links!)

Yes, we're in sync for everything in those 5 paragraphs. Keep in
mind the filesystem link from ln -s above. That lets me open
/home/peter/Category2.html by targeting file:///Category2.html.

> I'm sure, somewhere in all these threads you've explained what Dalton is
> running,

Dalton runs Squeeze and Iceweasel.

> but I'm a little confused with talk of Oberon and vnc
> connections to Iceweasel running on other machines.

VNC is completely irrelevant to this discussion. It was
only part of an answer to Ron J. Oberon was mentioned only
to illustrate how I expected a rational browser to behave.
Oberon is not necessary to demonstrate the behaviour of
Iceweasel.

> When I refer to
> localhost I mean the machine that hosts Iceweasel.

Yes, dalton.

> I'm also assuming
> that Iceweasel is not running as root,

Correct.

> ,,, and that the directory that you
> save "Peter Lyall Easthope.html" into is mounted on the same machine as
> the file Category2.html.

Yes. That is dalton.

> Agreed - *but* http://peter@members.shaw.ca/ is asking the browser to
> login to members.shaw.ca.....
> And the server on shaw.ca says "I'm sorry Dave but...." :-D
> So what the browser is actually served is members.shaw.ca....
> eg.:-
> http://peter@members.shaw.ca/ == http://members.shaw.ca/
>
> Which seems like a waste of 6 characters ;-p

Correct. I put in the "peter@" when trying to imagine the meaning of
the error message from Iceweasel. I'll remove it.

The final observation is that there should be a way to open
file:///blah.html, regardless of where the link resides. At present
I can open it only with a link in a local page. The link on a remote
server, targetting file:///blah.html, produces only the error message
from Iceweasel. file:///<name> is always an absolute file name on the
local machine isn't it? Is there a syntax for a non-local file:///<name>?
Logically, that should not be necessary, but it might help with
troubleshooting.

Hopefully the failure of the non-local case is just a security default
which can be overridden. Otherwise it's a bug in Iceweasel.

> Cheers, and thanks for your patience.

Thanks for your patience. The thread is becoming stale and
there are too many small digressions. A fresh description of the
problem with new names might help ... except that everyone must be
fed up with it by now.

Regards, ... Peter E.



--
Telephone 1 360 450 2132. bcc: peasthope at shaw.ca
Shop pages http://carnot.yi.org/ accessible as long as the old drives survive.
Personal pages http://members.shaw.ca/peasthope/ .


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 171057036.62341.52315@heaviside.invalid">http://lists.debian.org/171057036.62341.52315@heaviside.invalid
 
Old 06-13-2011, 05:30 AM
Scott Ferguson
 
Default Re (2): Configuring Iceweasel security policies.

On 13/06/11 09:14, peasthope@shaw.ca wrote:
> From: Scott Ferguson <prettyfly.productions@gmail.com>
> Date: Sun, 12 Jun 2011 20:20:17 +1000
>> Stepping through what you've described above...
>>
<snipped>
>> You saved the page to "storage of Dalton".... presumably "storage" is
>> somewhere below /home/peter....
>>
>> eg.:-
>> home/peter/"Peter Lyall Easthope.html"
>
> Here I stored it as /home/peter/Desktop/index.html. The choice of name
> doesn't change the phenomenon being demonstrated.

Exactly! :-)

>
> We're dealing with two pages. There is the "primary" page containing
> the Web link. Then there is the page Category2.html which is target of
> the link in the primary page. Category2.html is always local. I can
> open Category2.html when the primary page is local. Not when the primary
> page is remote.

Yes! That is how I understand this to work.

>
>> You then say that the link works (I don't disbelieve you)- but that link
>> is pointing at the root of Dalton, not the root of Peters home directory....
>> So "something" I'm assuming in the above scenario is not correct.
>
> Yes. There is a filesystem soft link as we discussed a day or two back.

Ah - thank you for the clarification.
[blinking] It's all coming back to me now....

> peter@joule:~$ sudo ln -s /home/peter/Category2.html /Category2.html
> peter@joule:~$ ls -l /C*
> lrwxrwxrwx 1 root root 23 Jun 12 13:16 /Category2.html -> /home/peter/Category2.html
> The filesystem and the Web both having "links" is a possible source of
> confusion.

Partially.
I bring my own confusion.
I don't like to turn up empty handed ;-p

<snipped>

> The final observation is that there should be a way to open
> file:///blah.html, regardless of where the link resides.

In a perfect world.... ;-p
(see my final comments)

> At present
> I can open it only with a link in a local page. The link on a remote
> server, targetting file:///blah.html, produces only the error message
> from Iceweasel.

Yes - that is as it should be. A web page should only be able to load a
file from within it's *purview*. So a http link should point to
somewhere within the root of the web server (eg. /var/www or
~/public_html), and a file link should point to somewhere on the same
machine the link is served from (think of the authentication).

> file:///<name> is always an absolute file name on the
> local machine

Where "local machine" means the machine the page holding the link is
loaded on (where Iceweasel is running).

> isn't it? Is there a syntax for a non-local file:///<name>?

Not unless you can load a network protocol with a page link. I am unable
to categorically say that is not possible - *perhaps someone
knowledgeable could advise* (it may be trivial).

> Logically, that should not be necessary, but it might help with
> troubleshooting.
>
> Hopefully the failure of the non-local case is just a security default
> which can be overridden. Otherwise it's a bug in Iceweasel.

With my limited understanding of the network security issues - I doubt
it's a bug.

>
>> Cheers, and thanks for your patience.
>
> Thanks for your patience. The thread is becoming stale and
> there are too many small digressions. A fresh description of the
> problem with new names might help ... except that everyone must be
> fed up with it by now.
>
> Regards, ... Peter E.
>
>
>

To clarify - is it only you that needs to be able to use this file link??
If so - would you only be accessing it from Dalton (or where)??

There are other ways (java, a local monkey server, etc) that might be
used to solve this problem.

Cheers

--
We all pay for life with death, so everything in between should be free.
~ Bill Hicks


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4DF5A073.9000601@gmail.com">http://lists.debian.org/4DF5A073.9000601@gmail.com
 

Thread Tools




All times are GMT. The time now is 12:55 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org