Thread: Idea: N900 security update (openssl, browser etc)
View Single Post
wicket's Avatar
wicket is offline wicket
2016-09-17 , 22:40
Posts: 634 | Thanked: 3,266 times | Joined on May 2010 @ Colombia
#34
Originally Posted by Xagoln View Post
If arbitrary code execution was possible, even as the user user from MicroB, yes, you're correct that they wouldn't be able to encrypt your files at the filesystem level, but wouldn't they still be able to delete/encrypt/corrupt/copy them on an individual basis?
An arbitrary code execution exploit in MicroB would give an attacker the same privileges as the user user. This normally means they would have read/write access to everything under /home/user including MyDocs. This assumes that the device owner hasn't done anything stupid to weaken the security. One thing that I forgot is that many users here use rootsh without a password which would of course gives the attacker full access to the device.

Even if rootsh isn't installed, the user may not be safe. The default setup allows it to be installed without root privileges. In my opinion rootsh should be removed from the repositories but this probably wouldn't even be enough.

If you ask me, Maemo is very broken in this respect. It's not that hard for an attacker to create some malware, create multiple Garage accounts and then vote it up for promotion to Extras. Actually, they probably don't even need to do that. They can just enable Extras-devel and install anything from that. It's part of the reason why I want to replace Maemo with Debian.
__________________
DebiaN900 - Native Debian on the N900. Deprecated in favour of Maemo Leste.

Maemo Leste for N950 and N9 (currently broken).
Devuan for N950 and N9.

Mobile devices with mainline Linux support - Help needed with documentation.

"Those who do not understand Unix are condemned to reinvent it, poorly." - Henry Spencer
Last edited by wicket; 2016-09-17 at 22:54.
 

The Following 5 Users Say Thank You to wicket For This Useful Post: