http://bugzilla.opensuse.org/show_bug.cgi?id=1134131 http://bugzilla.opensuse.org/show_bug.cgi?id=1134131#c13 Hillwood Yang <hillwoodroc@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|NORESPONSE |--- --- Comment #13 from Hillwood Yang <hillwoodroc@gmail.com> --- I see (In reply to Matthias Gerstner from comment #11)
(In reply to moyanhao@deepin.com from comment #8)
https://github.com/linuxdeepin/dde-file-manager/pull/195 requiring authorization before take actions.
Okay, this reduces the attack surface considerably by default.
https://github.com/linuxdeepin/dde-file-manager/pull/194 remove unused com.deepin.filemanager.daemon.policy
Good, this is necessary cleanup.
https://github.com/linuxdeepin/dde-file-manager/pull/193 fix crash issues while execute without parameter, and unify the output between not existing and not a block device.
Hmm the check `!path.startsWith("/dev/")` is not good style. You need to stat() the file and check the file type. You should also make sure the path is not a symlink (by using O_NOFOLLOW). A sequence like
int fd = open(path, O_PATH | O_NOFOLLOW); struct stat s; fstat(fd, &s); if( ! (s.st_mode & S_IFBLK) || s.st_uid != 0) { // fail }
would be needed. Don't know right away how to achieve that best with Qt API, it is not well designed for security, sadly.
You can additionally keep the check for the /dev prefix but before checking for that prefix you should normalize the path, otherwise the user can simply specify something like /dev/../root/.bashrc.
https://github.com/linuxdeepin/dde-file-manager/pull/196 compatibility with new format of lsblk output
Okay this should work.
https://github.com/linuxdeepin/dde-file-manager/pull/190 don't read .pam_enviroment any more
Good.
I see all the pull request have been merged by upstream. And upstream update these polikit profiles. I think polikit profiles could be reappraised now. -- You are receiving this mail because: You are on the CC list for the bug.