Security in NVDA


René Linke <rene.linke@...>
 

Hi,

In productions environments, the Python console should not be enabled. It's highly a security risk!
Just in Alpha and Beta versions the function should be it enabled by default only.

René


Brian's Mail list account <bglists@...>
 

Surely if you use an admin account you need access to the console to troubleshoot things.
Brian

bglists@blueyonder.co.uk
Sent via blueyonder.
Please address personal E-mail to:-
briang1@blueyonder.co.uk, putting 'Brian Gaff'
in the display name field.

----- Original Message -----
From: "René Linke" <rene.linke@hamburg.de>
To: "NVDA" <nvda@nvda.groups.io>
Sent: Monday, September 17, 2018 2:26 AM
Subject: [nvda] Security in NVDA


Hi,

In productions environments, the Python console should not be enabled. It's highly a security risk!
Just in Alpha and Beta versions the function should be it enabled by default only.

René



Antony Stone
 

What is the risk?

What can a non-admin user do with the Python console that they can't do, for
example, through the command prompt?

Antony.

On Monday 17 September 2018 at 03:26:58, René Linke wrote:

Hi,

In productions environments, the Python console should not be enabled.
It's highly a security risk!
Just in Alpha and Beta versions the function should be it enabled by
default only.

René
--
Atheism is a non-prophet-making organisation.

Please reply to the list;
please *don't* CC me.


Ralf Kefferpuetz
 

Hello,

I don't see any security risk, you are only able to do things that are allowed by your domain profile and security rules applied to your computer.

Cheers,
Ralf

-----Original Message-----
From: nvda@nvda.groups.io <nvda@nvda.groups.io> On Behalf Of René Linke
Sent: Montag, 17. September 2018 03:27
To: NVDA <nvda@nvda.groups.io>
Subject: [nvda] Security in NVDA

Hi,

In productions environments, the Python console should not be enabled.
It's highly a security risk!
Just in Alpha and Beta versions the function should be it enabled by default only.

René


René Linke <rene.linke@...>
 

I don't want to give more hints about it, or neither how you can do things to compromise something on a system with that, and in a help with other tools.


Antony Stone
 

Can you give one example of some risk which exists with the Python console
which does not already exist in the command prompt, without giving details of
how to actually do some damage?

I simply don't believe that the fact you can type Python commands is any more
dangerous than what you can do already in the command prompt window.

I also believe that anyone who says "this system is insecure" without giving
any evidence to back up that claim is scare-mongering.


Antony.

On Monday 17 September 2018 at 11:58:10, René Linke wrote:

I don't want to give more hints about it, or neither how you can do
things to compromise something on a system with that, and in a help with
other tools.
--
Schrödinger's rule of data integrity: the condition of any backup is unknown
until a restore is attempted.

Please reply to the list;
please *don't* CC me.


Quentin Christensen
 

Hi René,

In a secure environment, you can run NVDA with the --secure command line argument which does disable the python console (as well as disabling the add-on manager).

Kind regards

Quentin.

On Mon, Sep 17, 2018 at 11:27 AM René Linke <rene.linke@...> wrote:
Hi,

In productions environments, the Python console should not be enabled.
It's highly a security risk!
Just in Alpha and Beta versions the function should be it enabled by
default only.

René






--
Quentin Christensen
Training and Support Manager

Official NVDA Training modules and expert certification now available: http://www.nvaccess.org/shop/

Facebook: http://www.facebook.com/NVAccess 
Twitter: @NVAccess