Comment 5 for bug 592121

On 10.06.2010 17:40, Jamie Strandboge wrote:
> I'll put your personal attack aside

Unfortunately, it is a major american attitude and a trained form of
ignorance to void and discard a complete class of critics. When making
a mistake which's reasons are in the personal views and mind of the one
who makes the mistake, critics are necessarily personal. Ignoring these
forms of critics, as it is common an usual in the american culture,
opens the door for a full category of flaws, mistakes, and wrong
decisions, which are on one hand as well part of the US culture, but on
the other hand absolutely inacceptable in concerns of security.

> and address your point as I think
> your main question is valid. I would appreciate it if you would
> discontinue these attacks.
>

And I would appreciate if you'd fix the problem and listen to my bug
report.

The way you were ignoring my points and marking them as invalid was
highly offensive seen from my personal cultural background. American
people tend to accept only the american way of life as the only valid
form of interaction. There is no non-personal way of dealing with
someone not willing to listen to non-personal arguments.

> The browser is supposed to be able to read and write files from the user's directory.

Technically wrong.

The browser is supposed to read and write just it's configuration
files/directory.

Besides that, the browser is supposed to read and write files from a
user's directory if and only if the user explictely wants to do so, and
only those files the user wants to read or write. The browser is
definitely not supposed to read and write any file in $HOME or /* . I
don't see where you would take that definition from.

Especially, the browser is not supposed to read or write files silently
without user's consent. But that's exactly what happens if under attack.

> This is *by design* of the browser, in particular firefox.

Wrong claim for two reasons.

The first is: There is no such design and no such task of the browser.
Show me where that design should be defined.

The second is: You simply do not understand what security is and means.
Even if that was a design of the browser, your argument was wrong.
Because there are attacks and flaws in the browser, and therefore the
browser accidently or because of attack does something it is not
designed to do.

Or in other, more simple words: Let the browser do what it is designed
for, but use security to prevent it from things it was not designed to.

For example, the browser is designed to open a requester and to
inform/ask the user before up-/downloading a file. Silently reading or
writing arbitrary files without user's consent is definitely against
firefox' design, so your point is technically wrong.

(and btw, even if you take this as a personal attack, but it's something
that must be said, because that's the main problem: Someone who argues
the way you do is definitely not competent in IT security. Maybe it
would be better to pass the security relevant tasks in ubuntu to someone
else experienced with such problems.)

> How else is someone supposed to download a file? To upload their presentation to the company webserver? If the AppArmor profile denied these actions by default, what would the regular user who knows nothing of AppArmor do?
>

Sorry, but that point is both silly and wrong. I would appreciate if
you'd remain objective, because in my cultural background it is
considered as rude argueing that unobjective way.

a) there is a difference between beeing able to upload a file and beeing
able to upload any file. There is something between all files and no
files at all.
b) The way you argue would be an argument against any security measure
at all. Hey, why do you have file permissions at all? Why do you use
user accounts without root permissions? You should alway run firefox as
root, because only then you can be sure to be able to upload all files
you might want. Understand what I am talking about?
c) What if the presentation is confidential and should not go the
internet but is silently fetched by hackers?

d) I've never said that the 'default' setting should be to deny. I've
said that the default settings must be put into a separate file to allow
the admin to set it to the local needs without interfering with the
master apparmor file for firefox. Once modifying the
/etc/apparmor.d/usr.bin.firefox runs you into trouble, because you
either don't get updates or you have to modify it after every update
again (please read the docs about ubuntu/debian /etc files).

The problem is, that you talk about a 'default' setting, but actually
you are enforcing it to be open, without leaving the local admin a good
and clean chance to keep it more closed. You are counterfighting
security. And based on your words, you do not understand the
requirements of security.

> * If we were lucky, they would only turn off only the firefox profile (which, I might add is *opt in* only right now). This action would weaken the security stance of firefox since it would now be running totally unconfined.
>

Nonsense. You don't seem to have understood the apparmor.d configuration
principle as well.

That's what these abstraction files are made for.

Put all these configuration lines that are not necessary to run firefox
itself and just needed for up-/download of files into a separate
abstraction file and include it. Leave it open by default.

When installing firefox open a dialog to inform the admin, that it is
open by default and that the admin should change to meet local security
needs. That's the clean and proper way.

That way you have your default open setting (which is really a default
and not an enforcement) and allow the admin to set a local policy
without interfering with or missing future updates.

> * If we were more unlucky, the user would turn off all of AppArmor (this has been seen occasionally with AppArmor but famously with SELinux). The result would be that CUPS, dhclient, evince, the guest-session and other profiles in Ubuntu would be disabled.
>

Again, that's nonsense.

You are trying to decide between using apparmor not at all or using it
the wrong way.

You have to use apparmor the correct way. The way it was designed to, to
use your wording. Learn to use it.

If you argue to use firefox the way it was designed, why is it so
difficult for you to use apparmor as well the way it was designed?

>
> AppArmor can protect against many things. The firefox profile protects against execution of arbitrary code by the browser and reading/writing of files you do not own (eg /etc/passwd), reading/writing sensitive files like the user's gnome-keyring, ssh keys, gnupg keys, history files, swp, backup files, rc files and to files in the standard PATH. It also confines add-ons and extensions to the above. Firefox is integrated into the Desktop and so it must be allowed to open helper programs and access the user's data. The profile is by default *general purpose* with the design being:
> * when enabled, it significantly improves the security of firefox as is
> * it provides a starting point for people to confine firefox how they want to
> * the implementation gives the user the ability to fine-tune it to be as strict as desired
>

you are talking, and talking, but it does not get any better.

The way you write the profile is not a default, it is effectively an
enforcement. You are forcing systems into beeing open if the local admin
does not want to cope with config file after every package update, which
is unfeasibly.

Sorry to disappoint you. But you are someone who must be personally
critized, because the problem, the reason is in your person only. You
simply did not understand how security in common and how apparmor in
particular works. All your arguments were pointless, and trying to show
a conflict that does not exist, simply because you do not understand how
things work.

And therefore my question what qualified you to deal with such bug
reports. I don't see the knowledge and experience in IT security
necessary for that job in your email.

And btw., the way you are offending others without realizing it while
beeing so easily offended yourself is not helpful.

Sorry to say that, but I'll cite your mail to prove that ubuntu lacks
the capacity to deal with security sufficiently.

Hadmut