A way of making .desktop files more secure
Samuel Lidén Borell
samuellb at bredband.net
Wed Oct 11 19:36:19 EEST 2006
After digging trough the mailing list archives I think I've come up with
a solution to the security problems with .desktop files (they can have
icons of other file types display any filename).
The idea is to show a warning dialog when an untrusted .desktop file is
encountered, and optionally remember the user's choice (for example,
with a "Always trust" button). A .desktop file would be considered
untrusted if it's not owned by a "system" user (i.e. root, bin, etc.),
and it's filename is not included in one of the "trusted .desktop
files"-files (see below). Files placed in hidden directories (like
~/.local/share/applications/ and ~/.gnome2/panel2.d/default/launchers/)
would always be considered trusted since they user is unlikely to
download files to there.
The "trusted .desktop files" files are plain text files with one trusted
path per line (which can be a file but also a directory). Paths should
be allowed to begin with ~/ so files can be trusted independently of the
user name. There would be one system-wide file (located in /etc/) and
one per-user file (located in each user's home directory).
* Doesn't require any changes to the .desktop file format
* Doesn't require special software, file systems, etc..
* Since most .desktop file are either installed as root, or installed
to a hidden directory, most .desktop files should work out-of-the-box
without any warning dialogs.
* Probably not very hard to implement.
* Allows distributions and administrators to trust files/directories
(that are placed on users' desktops, for example).
* .desktop-files need to be granted once again if they're moved.
* Entries in the "trusted .desktop files" file will not be deleted when
the .desktop file is deleted.
* Programs that create .desktop files on the desktop (~/Desktop) will need
to be modified to add their .desktop files to the "trusted .desktop
files" file or the user will see the warning dialog the first time he
uses them (Firefox saves downloaded files to ~/Desktop by default so
we can't trust that directory).
Do you think this is a good solution? Or is there something that I
forgot to think of?
More information about the xdg