GNOME Bugzilla – Bug 322553
Evolution can run scripts to create signatures - this feature can't be disabled.
Last modified: 2008-05-26 18:04:50 UTC
Please describe the problem: We want to implement a locked down desktop environment with users having no command line access. The applications we want to use in this environment include Evolution. Evolution currently has the ability to run arbritary shell scripts. Gnome has recently introduced a lockdown capability - see link below: http://www.gnome.org/learn/admin-guide/latest/ch10s03.html Evolution should be made compliant with this lockdown architecture. This means making it possible for an admin user to disable the running of user signature scripts and any other shell backdoors it may have. Steps to reproduce: 1. Create a file called hack.sh with a text editor and add the contents "cat /etc/passwd" 2. Make the file executable 3. Open Evolution and go to Edit/Preferences/Composer Preferences/Signatures. 4. Click on Add Script button and select browse. Go to Home and select hack.sh script. 5. Compose a new message, select signatures and the hack.sh script. 6. Send the e-mail Actual results: One of our supposedly locked down users gets a copy of our password file. Expected results: If their is a capablity to turn off the signature scripts in Eovlution if desired, then if the capability is enabled the Evolution user shouldn't be able to run sginature scripts. Perhaps they should even be offered the ability to create one. Does this happen every time? Yes. Other information: Evolution and Firefox are the most popular Gnome apps. Firefox has its own lockdown architecture. We want to run Firefox and Evolution under KDE's "Kiosk Mode". In that situation Evolution is the weak link as far as allowing running arbitrary commands via the signature scripts.
adding keyword; confirming as it was discussed on the mailing list. please note that this is a potential security leak, so setting severity to major.
Typo above - I meant to say Perhaps they ***shouldn't*** even be offered the ability to create one.
Updated doc link: http://library.gnome.org/admin/system-admin-guide/2.22/lockdown-manual.html.en
Created attachment 110115 [details] [review] proposed evo patch for evolution; Driven by "/desktop/gnome/lockdown/disable_command_line" key. If disabled, then no signature is generated.
Milan, I would like it to be the other way around. This gconf key isn't going to be changed often and mostly is a one timer. So load it as mail config and use it, rather than checking for the value on every composer or preference invoke. [You must read Federico's perf talk: His quote on GCONF] Infact, to speed up Evo, we can look at such pieces and improve.
Created attachment 110157 [details] [review] proposed evo patch ][ for evolution; Ouch, it hurts... so small patch and needs-work... :) But I'm fine with these changes. Btw, if requested to disable scripting on other places too, then feel free to move the helper function to e-util or somewhere. I didn't do that because it is not required yet.
Commit to trunk
Committed to trunk. Committed revision 35551.