"Name" key value in desk. entry spec collides with file names, could misguide users?

Robert Wittams robert at wittams.com
Sun Mar 20 22:17:32 EET 2005 

>>Why? Because I don't believe requiring a magic flag to be set to run a
>>program makes things more secure, it just decreases usability. 
> 
> 
> ...selinux actually makes this worse, by not allowing you to do anything - at all with what you
> downloaded. And if it does have a method to run it, it's not different than the +x solution,
> expect for being more complex and less portable to other systems.
> 
> 

I'm not convinced that the +x solution is good or bad as a stop gap. But...

SELinux definitively is NOT the same as the +x solution. The +x solution 
gives the user 1 choice:

"Do you want to give this program as much control over this computer as 
you have?"

Any SELinux solution worth its salt is going to allow the script to run 
in a sandbox, see if it tries to do anything more, and ask if the user 
wants to grant the permission to do that single act, or widen the 
permission to future acts.

Well behaved programs that forsee the need will ask for permissions up 
front. Trojans that want to seem well behaved will do the same. But they 
won't be able to hide what they want to do, due to the unspoofable 
window features that will need to be built into next gen 
window/composite managers, and used by the sandboxing process.

This will of course require a lot of work. But it will be a *real* 
solution to trojans arriving in downloads and emails. Yours is a stop 
gap. Don't compare the two as if they are similar - they are not.

The standard complaint here is that users will just say yes to 
everything. This is based on experience gained from the masterful 
ActiveX dialog and Suns Java Webstart. I think the user experience can 
be improved from these disasters : for one, this won't be about trusting 
corporate behemoths.

And as to portability: sometimes posix is not enough, we can't wait for 
every api to be implemented everywhere before allowing its use. Of 
course, nothing stops other systems just forgoing the extra security 
features, implementing them, or forging their own path.

Robert

More information about the xdg mailing list