FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 04-14-2011, 01:03 PM
Joel Rees
 
Default How to use rpm to install adobe-flash?

Pardon me for being pedantic here.

On Thu, Apr 14, 2011 at 2:34 AM, suvayu ali <fatkasuvayu+linux@gmail.com> wrote:
> Hi Joel,
>
> On Wed, Apr 13, 2011 at 5:56 AM, Joel Rees <joel.rees@gmail.com> wrote:
>> And we always su (if we do use su to do administrative tasks) from
>> users that we never surf the web from, right? You understand why?
>>
>
> I presume you are alluding to the possibility of the system being
> affected by keyloggers (as you mention later in your post)?

Keyloggers are an example. There are all sorts of malicious kinds of
software that can be installed via vulnerabilities in Flash. There are
more vulnerabilities than are known, and there are more known by those
who would keep them secret and use them to their own purposes than by
those who would help fix them.

>> Does that explain why I'm saying you don't want Flash loading every
>> time you run your web browser as any user?
>>
>
> How does this change when flash is installed as the regular user?

>From what I said about not using su or sudo when logged in to an
account you surf the web from, you understand that I mean that the
user does not even use su or sudo to do the final step of copying
flash where it goes? The steps I gave, to move the downloaded tarball
to the home directory via the graphical file manager start a shell in
a terminal session and do this:

-----------------
cd .mozilla/plugins
tar xzf ~/Desktop/<flash-tarball-name.tar.gz>
-----------------

put the Flash plugin file in /home/<username>/.mozilla/plugins , not
in any system-wide file, not in any directory accessible to any other
user.

That means that flash will not even run for any other user.

Well, you can install flash in other users' .mozilla/plugins
directories if you want, of course, but only the users which have the
flash specifically installed will be able to run flash.

> Irrespective of how flash was installed, whatever vulnerabilities it
> introduces will be limited to the account that is using it. Isn't that
> correct?

Uhm. Actually, unfortunately, not necessarily. There have been
vulnerabilities that don't require setuid execution to escalate
privilege. Of course, with such vulnerabilities, the local
installation is not a high wall, but even low walls can help a little.

But you see that is not what I'm targeting with this recommendation.

>>> vulnerabilities in the
>>> plugin can _only_ affect the regular user.
>>
>> There are many paths to exploits besides things directly running in
>> the instance of the web server (with plugins) which you are currently
>> running. Tricks like leaving keyloggers and trojans behind, in places
>> where they get executed the next time you log in instead of now.
>>
>> So a Flash exploit lets the bad guys leave a keylogger in your surfing
>> account. That's not good (and in some senses it's a ticking time
>> bomb), but at least it isn't as bad as it could be.
>
> How does (not-)installing flash as root affect any of the above? What
> you are talking about above is something everyone should be mindful of
> when surfing the Internet irrespective of whether they are using flash.
>
> I still fail to see how installing flash as the regular user is saving
> the user from any vulnerabilities which he/she would be otherwise prone to.

Well, for all that, ideally, one would never surf the web as an admin
class user, many packages have their documentation in HTML. The docs
contain links to the project website.

And even if the project website is clean, it often has advertising
(often in Flash, no less), and links to other places which may or may
not be properly administered. It's all too easy for even the most
cautious admin user to get drawn out on the general web, and not
having flash installed in the general browser puts up more walls that
the intruder has to get through.

And then there's the bank's website and the queston of whether flash
should be enabled in the browser you are typing your bank password in,
etc.

It's not a really high wall, but it is a way to put another wall
between the user's important data and the intruder, provide some more
buffer against social engineering and user error, etc.

--
Joel Rees
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 04-14-2011, 03:28 PM
Suvayu Ali
 
Default How to use rpm to install adobe-flash?

Hi Joel,

On Thu, 14 Apr 2011 22:03:00 +0900
Joel Rees <joel.rees@gmail.com> wrote:

> >> Does that explain why I'm saying you don't want Flash loading every
> >> time you run your web browser as any user?
> >>
> >
> > How does this change when flash is installed as the regular user?
>
> From what I said about not using su or sudo when logged in to an
> account you surf the web from, you understand that I mean that the
> user does not even use su or sudo to do the final step of copying
> flash where it goes?

I think I follow where we were differing. I didn't realise you also
meant no "administration related tasks" are done from the regular
account in question. Of course in that case it is definitely safer.

So your objection is definitely a valid point but it is not specific to
flash. Its a general principle of not exposing your administrative
password to user accounts that might have been infected by the outside
world.

Am I understanding this correctly? I guess we often make choices
between convenience over security. It usually depends on the context
and the administrator of the system whether it is an acceptable choice.

--
Suvayu

Open source is the future. It sets us free.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 04-16-2011, 02:44 AM
Joel Rees
 
Default How to use rpm to install adobe-flash?

On Fri, Apr 15, 2011 at 12:28 AM, Suvayu Ali
<fatkasuvayu+linux@gmail.com> wrote:
> Hi Joel,
>
> On Thu, 14 Apr 2011 22:03:00 +0900
> Joel Rees <joel.rees@gmail.com> wrote:
>
>> >> Does that explain why I'm saying you don't want Flash loading every
>> >> time you run your web browser as any user?
>> >>
>> >
>> > How does this change when flash is installed as the regular user?
>>
>> From what I said about not using su or sudo when logged in to an
>> account you surf the web from, you understand that I mean that the
>> user does not even use su or sudo to do the final step of copying
>> flash where it goes?
>
> I think I follow where we were differing. I didn't realise you also
> meant no "administration related tasks" are done from the regular
> account in question. Of course in that case it is definitely safer.

Exactly.

> So your objection is definitely a valid point but it is not specific to
> flash. Its a general principle of not exposing your administrative
> password to user accounts that might have been infected by the outside
> world.

The principle is general, sure, but the application to Flash is
specific -- that the plugin should go in the .mozilla/plugins folder
of each user that uses it, and nowhere else.

It's not as good as having a separate box for the bank, but separate
accounts are not as bad as using the same account for posting to (say)
Digg or slashdot and for logging in to the bank.

Leaving Flash out of the account you log into the bank with
strengthens the walls against the un-foreseen accidents.

Likewise, if you don't have Flash loaded in the account you usually
use to do admin tasks, you have a little more breathing room when
you're checking the docs while you tweak the system, without using a
separate computer.

> Am I understanding this correctly? I guess we often make choices
> between convenience over security. It usually depends on the context
> and the administrator of the system whether it is an acceptable choice.

True. It's a little inconvenient.

In fact, if you have 138 users on the company network, and you have to
set up multiple accounts for each one, installing and updating Flash
and other brick-brack on some accounts and not on others, maybe you
have to decide between writing a script to handle the install across
the LAN and just installing/updating one global location.

For personal and family machines, however, I prefer the local install,
since the kids insist on having it.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 04-16-2011, 06:37 AM
suvayu ali
 
Default How to use rpm to install adobe-flash?

On Fri, Apr 15, 2011 at 7:44 PM, Joel Rees <joel.rees@gmail.com> wrote:
>> So your objection is definitely a valid point but it is not specific to
>> flash. Its a general principle of not exposing your administrative
>> password to user accounts that might have been infected by the outside
>> world.
>
> The principle is general, sure, but the application to Flash is
> specific -- that the plugin should go in the .mozilla/plugins folder
> of each user that uses it, and nowhere else.
>
> It's not as good as having a separate box for the bank, but separate
> accounts are not as bad as using the same account for posting to (say)
> Digg or slashdot and for logging in to the bank.
>
> Leaving Flash out of the account you log into the bank with
> strengthens the walls against the un-foreseen accidents.
>
> Likewise, if you don't have Flash loaded in the account you usually
> use to do admin tasks, you have a little more breathing room when
> you're checking the docs while you tweak the system, without using a
> separate computer.
>
>> Am I understanding this correctly? I guess we often make choices
>> between convenience over security. It usually depends on the context
>> and the administrator of the system whether it is an acceptable choice.
>
> True. It's a little inconvenient.
>
> In fact, if you have 138 users on the company network, and you have to
> set up multiple accounts for each one, installing and updating Flash
> and other brick-brack on some accounts and not on others, maybe you
> have to decide between writing a script to handle the install across
> the LAN and just installing/updating one global location.
>
> For personal and family machines, however, I prefer the local install,
> since the kids insist on having it.

Okay. Now we are on the same page. Agree wholeheartedly.

After the discussion I am switching to using flash this way on my
machines. In any case I have to do it by hand as I use the 64 bit
flash. :-/

--
Suvayu

Open source is the future. It sets us free.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 04-16-2011, 07:02 AM
"Kevin J. Cummings"
 
Default How to use rpm to install adobe-flash?

On 04/16/2011 02:37 AM, suvayu ali wrote:
> After the discussion I am switching to using flash this way on my
> machines. In any case I have to do it by hand as I use the 64 bit
> flash. :-/

No you don't:

> [flash]
> name=flash
> baseurl=http://dl.dropbox.com/u/6907158/flashplayer.x86_64
> enabled=1
> gpgcheck=1
> gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-leigh123linux

Put that in a file in /etc/yum.repos.d and you should have a packaged
version of the 64 bit Flash Player (square) that Adobe releases from
time to time. It is packaged by leigh123linux, and there are
discussions about it on www.fedoraforum.org.

--
Kevin J. Cummings
kjchome@verizon.net
cummings@kjchome.homeip.net
cummings@kjc386.framingham.ma.us
Registered Linux User #1232 (http://counter.li.org)
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 

Thread Tools




All times are GMT. The time now is 02:59 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org