Security issue with .desktop files revisited

Francois Gouget fgouget at codeweavers.com
Wed Apr 12 15:46:25 EEST 2006 

Rodney Dawes wrote:
> Better yet, let's not encourage people to turn .desktop files into
> scripts. As has been expressed MANY times in this thread, requiring +x
> and a special tool that doesn't evaluate Exec any differently thatn we
> are currently evaluating Exec, doesn't solve the problem. It is very
> easy to ship a .desktop file to someone that is already +x.

In order to run an executable one must have the execute permissions for 
that executable. Whether you like it or not .desktop files are 
executables and, as such, running them ('opening' them in desktop 
parlance) should require that you have the relevant execute permissions.

Requiring +x on .desktop files also makes it possible to add an emblem 
to the icon of those that lack it, and/or to issue a warning when the 
user tries to run them. Thus this also protects users from .desktop 
files that have a misleading icon.

Sure there are many ways to make a .desktop file executable. But that's 
completely besides the point, because once we require +x on .desktop 
files they represent no more of a threat than shell scripts and ELF 
binaries. So any solution to that particular problem must also take care 
of those otherwise it is useless. By the way, such a solution exists, it 
relies on Extended Attributes, and as has been said before will take a 
long time before it can really be deployed.


So to summarize the current situation:
  * .desktop files are the only type of executable that can be run with 
a single click immediately after download
  * they can specify a misleading icon to fool the user

And after the we require .desktop files to have +x:
  * .desktop files cannot be run without special action by the user
  * .desktop files cannot rely on their icon to fool the user


> We need to fix the evaluation semantics of Exec, not write a bunch of
> easily-avoidable workarounds.

I don't see anything to be fixed in the 'evaluation semantics of Exec' 
that would help solve this problem. Maybe if you have a concrete 
proposal that can be discussed further. When writing your proposal, 
please keep in mind that it must be flexible enough to allow stuff like

Exec=/opt/cxoffice/bin/wine --workdir "C:////Program Files////QuickTime
" --check --cx-app "C:////Program Files////QuickTime////QuickTimePlayer.exe"

(all on one line of course) while not allowing

Exec=rm -rf /


-- 
Francois Gouget
fgouget at codeweavers.com

More information about the xdg mailing list