"Name" key value in desk. entry spec collides with file names, could misguide users?

Robert Wittams robert at wittams.com
Wed Mar 16 01:24:28 EET 2005

Diego Calleja wrote:
> Yesterday a friend got a worm, the worm itself don't uses *any* vulnerability. It just
> uses your open messenger account to autosend itself as verysexy.pif. Your
> contacts *trust* you and so they get the .pif file, as soon as it downloads they
> try to open it and boom - they're infected and the chain starts again. This worms
> can spread itself regardless of the privileges, and microsoft can't do much about
> it: sending files is legal, and they can't stop them clicking on a .pif file (I bet that
> in future releases of messenger they'll modify the client so that it doesn't accepts
> .pif/.exe/.scr/etc files, it's the one thing they can do). If .pif files weren't always
> executables like currently .desktop files are, this worm wouldn't have worked. 

The way to solve this in general is to seperate the concept of a 
principal from the set of priveledges that a process has. A process on 
unix or windows currently starts out with a horrificly large set of 
ambient priveledges.

There are various approaches to this : Capability systems like KeyKOS or 
Eros are the purest. Unfortunately, this means throwing out the whole of 

SELinux is the leading candidate for the near future: binaries 
downloaded from your instant messenger, browser, or mail client would 
not run with the same priviledges as a program that is part of your 
distribution ( eg they would not be able to contact the instant 
messenger, or even detect it running.) Unfortunately it seems that 
SELinux is extremely hard to manage without a whole bunch of new tools 
that have yet to be designed or written. There are a bunch of other 
approaches : easy to create throw away accounts which drop posix caps ( 
very coarse grained), loading attachments in a virtual machine with 
access controls, etc, etc. All of these solutions require unspoofable 
gui tools to grant fine grained access while the execution is in 
progress - so you never end up giving access to your office docs or 
gnucash database without knowing it. This needs X server and 
window/composite manager help.

So there are things that can be done. I hope they will be done.

More information about the xdg mailing list