touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #107058
Re: [Bug 1393515] Re: browser allows browsing the phone filesystem
On 09/28/2015 02:23 PM, Jamie Strandboge wrote:
> Currently the webbrowser is not confined (there is another bug for that)
> but webapps are (so this bug doesn't affect, say, facebook in the store,
> but it does affect webbrowser-app). There is a bug to confine
> webbrowser-app and I agree that with that confinement should come
> content-hub integration.
>
> This use case Seth pointed out falls under
> https://wiki.ubuntu.com/SecurityAndPrivacySettings/ProtectingUserData
> and we are still in 'Phase 1': "For Phase 1, users desiring privacy and
> elevated security against casual theft should enable a PIN/password,
> protect that PIN/password against theft and not lend the phone to people
> they do not trust". In other words, the current implementation does not
> protect against lending to a bad actor-- there is only so much we can do
> without a guest account on the system designed for lending.
>
Yes bad actor is out of scope
> But, we haven't done all we can do without a guest account (ie, phase 1)
> yet and we shouldn't make it trivial to access potentially sensitive
> data. Seth is right to point out that the web browser is different than
right alternate user/guest user accounts are part of the solution to
the bad actor problem but outside of the scope of the web browser being
a problem.
> a file browser in that it is read access. It is also true that lending
a
No, it is only by ui convention that the web browser is mostly read
only. Users can still exploit it to load external content and save it
to the file system, and an exploit can exploit the browser to have
full access to the file system.
ie. from a security pov mostly read access because of usage pattern
still must be treated as full read/write because the write access is
possible.
> phone to someone with your open session allows them to open all your
> apps as you (eg, adjust your email settings, request a password reset
> from facebook, etc). I think the website misses some of these finer
of course again, don't give your phone to a bad actor
> points, but ultimately I agree with John-- we can do more, today, while
> looking forward. How about having the (currently unconfined) webbrowser-
> app intercept file:// and use content-hub? While I think there are some
> UX issues to deal with (I doubt file:// access was considered in the
> current implementation and merely a byproduct of the chromium content
> api). This would then make it trivial to confine, would work in the
> converged world and prevent trivial read access to data today.
>
so as long as this happens along with confinement, that would be acceptable.
I don't care if the underlying access to the content hub is a hack, it
is the browsers direct access to the filesystem that needs to be curtailed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to webbrowser-app in Ubuntu.
https://bugs.launchpad.net/bugs/1393515
Title:
browser allows browsing the phone filesystem
Status in webbrowser-app package in Ubuntu:
Confirmed
Status in webbrowser-app package in Ubuntu RTM:
Confirmed
Bug description:
Using a URL like: file:/// gets you to the root of the phone
filesystem ... i assume this is not actually desired since we even
block the filemanager app to go higher up then $HOME without requiring
a password.
The webbrowser-app should either:
* behave like the file-manager (see bug #1347010 for details)
* file:/// should be disabled altogether on the phone
* webbrowser-app should run confined which would force the use of
content-hub by limiting file:/// access to those paths allowed by
policy
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/webbrowser-app/+bug/1393515/+subscriptions
Follow ups
References