.desktop files, serious security hole, virus-friendliness

Dave Cridland dave at cridland.net
Mon Apr 3 18:14:15 EEST 2006 

On Mon Apr  3 14:48:25 2006, Rodney Dawes wrote:
> > 2. do you think we should fix it?
> 
> I don't think we should rely on the +x bit. The point of the +x 
> bit, is
> that you can run the thing, from anywhere. Just setting it +x won't 
> let
> you run it from the shell. You'd have to change the spec to specify 
> an
> implementation to be an interpreter that works on the console, and 
> that
> the first line of .desktop files be #!/path/to/interpreter, which 
> may
> differ between systems. This would be quite bad and annoying, for 
> the
> user to deal with.
> 
> 
"[...] an interpreter that works on the console" seems to be 
overstating the problem, at least by implication. Saying that 
.desktop files MUST begin with the line "#!/bin/false" works just 
fine - they're not designed to run except from within a specific 
environment anyway.


> However, what I /do/ think we should do, is to fix the spec, and the
> implementations, to more clearly define and interpret the Exec 
> field.
> The problem raelly is that it's fairly arbitrary in what it allows.
> Clarifying that to be more specific, to disallow language 
> interpretation
> from the .desktop file, would help a lot more than just +x, I think.

Yes, this needs to happen too. That's "as well", and not "instead". 
As a first step, it'd be very interesting to know what the Exec field 
does actually get used for in legitimate .desktop files.


> You could easily default a download to +x, simply by putting it 
> within
> an archive which does preserve permission bits. The attacker could 
> quite
> easily put the .desktop file in a .tar, and when the user downloads 
> it,
> and opens it, they see a file in the archive utility, and then run 
> it,
> and since it has the +x already, we would just run it. It doesn't 
> seem
> like that is much of a solution to me. :)

This is true, but there's a secondary benefit to the +x hiding away 
here - it's easy for a file manager, archiver, etc to display all +x 
files with an emblem of some kind, and many have done so for years.

Sure, there's always a way around any hoop we put up for people to 
jump through, and the only safe choice would be to destroy the 
internet, and unplug your computer (from ethernet, modem, and power).

Dave.
-- 
           You see things; and you say "Why?"
   But I dream things that never were; and I say "Why not?"
    - George Bernard Shaw

More information about the xdg mailing list