-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday, 2013-11-07 at 23:20 +0100, Christian Boltz wrote:
Am Donnerstag, 7. November 2013 schrieb Carlos E. R.:
So, what exactly are the security risks I get into by opening local PDF files (generated by reputable sources, such as governments) with acroread in Linux? Can they be avoided or limited with a good AppArmor profile?
I don't know about the exact security risks - maybe someone from the security team knows more details.
With an AppArmor profile, you can make sure that acroread only reads *.pdf files and doesn't read or modify random files on your disk. You can also forbid networking - but this doesn't sound too useful when you need to submit a form online ;-)
No, I don't need to submit forms online. That only works, AFAIK, on intranets. It needs a special adobe server and probably only works on the Windows version. I've never had the chance to try, anyway. In fact, when I remember, I activate a firewall trick to block acroread from communicating on internet.
Anyway, I'll attach my AppArmor profile for acroread. It's not as tight as it could be (and I'll probably do some changes to it now that I know acroread won't get security updates anymore), but it's a good start. Be warned that you will need to change it - for example I'm quite sure your home directory is not /home/cb/ ;-)
It is a start, thanks. Now that I think, the yast apparmour wizard has disappeared, so it is more difficult to adjust profiles.
Note: the profile only covers the binary, not the wrapper script.
Which is that?
If the danger is in the Firefox plugin, for instance, that can be removed with less trouble.
Indeed, just zypper rm acroread-browser-plugin
I'd strongly recommend to do that (guess who split off this subpackage, and why... ;-)
No idea... But I already removed it some hours ago. - -- Cheers, Carlos E. R. (from 12.3 x86_64 "Dartmouth" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iEYEARECAAYFAlJ8QXgACgkQtTMYHG2NR9WWlwCeOPRgR2iWs/UNnipezaGqkyHg uMUAnAxJeCOkoqVOqL0YvjOuDZt/Nzbs =l6bc -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org