[etoys-dev] Re: Etoys new fonts
richi.moran at gmail.com
Fri Jun 11 16:44:31 EDT 2010
Ohhh, ok, I didn't consider the security issues. Please forget what I said
On Fri, Jun 11, 2010 at 5:12 PM, Bert Freudenberg <bert at freudenbergs.de>wrote:
> On 11.06.2010, at 20:48, Yoshiki Ohshima wrote:
> > At Fri, 11 Jun 2010 14:57:32 -0300,
> > Ricardo Moran wrote:
> >> Please correct me if I'm wrong. What I mean is: currently Etoys uses the
> default directory to store project files and so
> >> it changes the default directory to point to a different place than the
> Not quite. It changes the default directory to the only guaranteed
> writeable directory. Everything else becomes inaccessible once the security
> sandbox is enabled (which happens when you run someone else's project). The
> only exception is the resource directory, which is still accessible, but
> read-only. In the Etoys case, we chose that resource directory to be the
> image directory. I was simply suggesting that for better clarity we use
> "resource directory" in the code, rather than "image directory".
> >> But the default directory is used for
> >> a lot of other stuff (saving the image with "save as...", looking for
> fonts, monticello's package cache, writing logs,
> >> and so on).
> Right, except for loading fonts. Those need to be looked up in the resource
> directory for the fonts we ship, and possibly also in the default directory
> for user-installed fonts (but I'd hope that in normal operation we do not
> need that font download anymore).
> >> Maybe we could keep the default directory pointing to the image path (as
> the squeak trunk image) and simply
> >> change the directory where we store the project files. This directory
> would be "etoysPath" (or any other name you
> >> consider better).
> >> So, what I propose is, instead of making a "resourcePath" for locales,
> quickguides, fonts, etc. we create an "etoysPath"
> >> only for storing projects and we change the default directory back
> >> to the image path.
> Not a good idea.
> A lot of code assumes (rightly) that the default directory is writable.
> When the security sandbox is enabled, we only have a single writable
> directory. We definitely need to write projects. Hence, the project
> directory must be the default directory.
> > One thing is that Etoys needs more strict readonly vs. read-write
> > permission distinction of files and directories than a typical trunk
> > installation, as somebody can make a malicious project and upload it
> > to a server and mess up the writable directory. So, in general the
> > fonts should be in the read-only directory. (It has never been a
> > problem so far, and seraching two places like Subbu suggested would
> > have the advantage of allowing downloadable fonts, but less secure.)
> > I am pretty sure that you are not proposing to add a new directory
> > that SecurityPlugin knows. (A new directory accessing method that
> > returns already-known directory name.) But I am not still sure if
> > what you proposes simplifies the problem...
> > (I am not really closely following the discussion so forgive me if
> > I'm missing something.)
> Yoshiki is right. You need to take the security sandboxing into account.
> - Bert -
> etoys-dev mailing list
> etoys-dev at squeakland.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the etoys-dev