Re: [Pan-users] Save attachment file permissions

[Steven D'Aprano]

On Tue, 17 Feb 2009 07:30:55 am Paul Crawford wrote:
> I just tried saving a suspect file of the avi.exe sort to see how
> it behaved under LINUX using Pan 0.132 and I found it used '755'
> permission settings thus rendering it (theoretically, at least)
> executable.

Oh boy. I've just confirmed this in the wild:

Newsgroups: alt.binaries.howard-stern
Subject: Re: REQ Repost Amelie video. - Private-Amelie-14-27.avi [1/1]
Date: Fri, 13 Feb 2009 18:41:22 -0000
Message-ID: <address@hidden>

This contains a trojan "Private-Amelie-14-27.avi.exe" which is saved 
as executable under Linux using Pan 0.132. In contrast, other 
attachments (e.g. JPEGs) are saved as non-executable.

Under Linux, files are created with default permission 644, which is 
non-executable. This *strongly* suggests that Pan is deliberately 
setting the executable bit on exe files (and others?).

Now, it's true that Windows executables are *mostly* harmless on 
Linux. I say "mostly" because:

* There are rare viruses which will execute under both Linux and 
Windows. E.g. the Simile/Etap virus, which infects both Portable 
Executable (Windows) and 32bit ELF files (Linux) applications.

* Some people do run Wine, and have exe files configured to run in 
Wine on a double-click. Wine is good enough at emulating Windows that 
it can run viruses and trojans.


> OK, I know this is a Windows virus file, but it seems very bad
> practice as no doubt someone could post a shell script of malicious
> program for LINUX as well.

Absolutely.

> Should it not default to '644' under *all* cases, and at least
> force the user to use chmod if they REALLY do want to execute some
> downloaded attachment?

Yes yes oh gods yes!

If I'm right that Pan is specifically setting the executable 
permission based on the file name, and I can't imagine how it could 
not be, I have to ask: what on earth was Charles thinking?


> Thinking here of my non-tech family who now enjoy the relative lack
> of software threats by "embracing the penguin"...

It's not just non-techs, it's techs too.

After using KDE for something like six or seven years, I was horrified 
to discover that double-clicking a script *executed* the script 
instead of opening it in an editor... and executed it in the root of 
my home directory instead of the directory it was in, thus maximising 
the damage it did when it ran. (At least Gnome *asks* whether you 
want to open or launch executable scripts.) In six years, I had never 
double-clicked an executable script, and the first time I did, I lost 
data.

I can't even say I'll never do it again, because I write a lot of 
executable Python scripts, and I edit them from the GUI but execute 
them from the command-line. I'm sure it will happen again eventually, 
because I'm only human.

And honestly, any tech using a GUI is eventually going to be faced 
with a filename like 
(say) 
"Battlestar.Galactica.S02E19.A.Really.Long.Episode.Name.EZTV.DVDRIP.blah.blah.blah.blah.avi
               
exe" and double-click it without noticing the .exe part. It's easy to 
do. There's a reason why Unix and Linux defaults to making files 
non-executable and requiring people to explicitly make them 
executable.

What Pan does, by accident or design, is a shockingly bad thing. It's 
introducing typical Windows-like insecurity into Linux.

(Pan is hardly the only culprit. KDE and Gnome have introduced 
launchers that don't need to be executable to execute. Foolish 
foolish foolish.)



-- 
Steven D'Aprano