.desktop files, serious security hole, virus-friendliness

[Sam Watkins]

On Wed, Apr 05, 2006 at 03:43:25PM +0200, Benedikt Meurer wrote:
> Sam Watkins wrote:
> > Does anyone other than me think my proposed solution might be the right
> > thing to do?  or can you offer some "tweaks" and criticisms to make it
> > better?  If so, I'm happy to have a go at implementing it.
> 
> I still don't see the advantage of requiring +x for .desktop files. As
> pointed out several times in this thread there are several ways for an
> attacker to set the +x bit on a .desktop. For example, placing the
> virus.desktop in a archive with +x set. The user would then extract the
> archive and voila.

peace,

One might also argue that people should drink and drive because it's
possible to have car accidents anyway.

Perhaps we should fix archival software so it warns on extracting or
opening if there are files with +x, and provides an option to get rid of
the +x permission.  This is a different problem, as it also concerns
scripts and ELF executables, etc.  The vulnerablility with .desktop
files is different and more serious, as it would be much easier to get
infected by mistake.

> Also, most "good" software will tell people to "chmod +x $filename",
> just like "bad" software will do. There's no way for the user to tell
> whether it's really safe to follow the advice (except looking at the
> Exec field, but that requires knowledge about the various common shell
> commands).

I'm worried about accidents, not about users who are stupid enough to
actually "chmod +x" a virus because some bogus web-page tells them to!
Those users deserve what they get.

The fact is, many many viruses have been able to spread only because MS
Windows doesn't have an +x bit, including many viruses based on .pif
files which are the windows equivalent of .desktop files.  It's an
OBVIOUS thing for a virus writer to do, to make a virus in a .desktop
file, and send it as an email attachment or make it an automatic
download from their dodgy website.

I reckon if I made such a virus, and posted it as an attachment to
various free-software related lists (e.g. Ubuntu lists), quite a lot of
people would activate the virus.  I might quite possibly even do it
myself by mistake on a bad day!

Can't we at least agree that this IS a problem?  and concentrate on
solving this SPECIFIC problem?

To repeat, the problem is that .desktop files, UNLIKE EVERY OTHER SORT
OF UNIX PROGRAM OR SCRIPT, can be executed without having been granted
the +x permission.

> There's also another scenario not yet covered by this thread: An
> attacker with access to the file system could simply create a
> myfile.png.desktop in /tmp (or another world writable directory, which
> the user is likely to visit from time to time) with a faked Icon, that
> looks like a thumbnail of a PNG file (maybe just a PNG file from the
> users home dir), chmod +x myfile.png.desktop and wait for the user to
> double click it. Dunno how relevant this case is in reality, but it
> demonstrates that the +x bit requirement doesn't provide any advantages
> over non-executable .desktop files.

Yes an attacker who ALREADY HAS LOCAL USER ACCESS to a box could do
this!  but this is an altogether DIFFERENT and much less worrisome
problem, compared to the one I'm trying to address.

It seems to me that your argument here is like saying "there's no point
locking my car, because my wife has a copy of the keys and she might
steal it".  or "there's no point locking my car, a thief might already
be hiding under the back seat!".

It is worth thinking about this scenario too.  We could perhaps address
it with a dialog that pops up if you try to execute a .desktop file that
is owned by someone else (other than root).  Or perhaps only .desktop
files owned by yourself or root would be given fancy icons and custom
names.

Anyway, I feel that malware booby-traps from other local users are not
a very common problem on a desktop machine.  I have never heard of such
a thing happening even on windows boxes.  And it's not a problem that
could be widespread like a virus or malware can be.

> And in the same light: The user double-clicks a .desktop file without +x
> bit set. The file manager will consider this file "unsafe" as you said,
> and popup a dialog which says "The file is unsafe, blah, blah..." and
> includes the value of the Exec field. Now imagine this user is just an
> average desktop computer user and knows only a few basic shell commands.
> How likely is it that this user would know what's going on here? Very
> unlikely, indeed. So, he/she will probably just click "Run anyway", or a
> more advanced user will maybe google for the problem and find a forum
> which talks about this problem and suggests to "chmod +x $filename" to
> solve it.

Well if he/she clicks "run anyway" on a pop-up that says "watch out,
this might be a virus", then he/she has officially bitten him/herself in
the ass so to speak and deserves to get a virus and pay me $10^6 to
remove it.

I don't think GNU/Linux desktops need to be cretinous-idiot-proof.
But they do need to be safe enough that a person who can understand the
word "VIRUS" is not going to get a virus by a trivial sequence of two
clicks.

> The "solution" would only help to protect skilled users, who are able to
> interpret the Exec value properly.

I don't agree.  In the common case the user would not have INTENDED to
download an executable program.  When the dialogue pops up, they would
be cautious and say "no", and possibly ask an expert for help or delete
the unwanted file.

Another alternative is if the system simply completely refuses to
execute .desktop files that are -x.  But this would be inconvenient
given that there are a lot of cut-and-paste .desktop files "out there"
on various wikis at the moment.


Sam