RFC: Autostart spec, first draft

[John (J5) Palmieri]

On Sat, 2005-07-09 at 15:33 +1200, Perry Lorier wrote:

> A) It shouldn't automatically run as me (because it's not my usb memory
> stick plugged in)
> B) It shouldn't run as me because the screensaver is locked which means
> I have implicitly said that any I/O from that session should be ignored
> until my password is entered.
> C) It shouldn't run off the FAT filesystem because the administrator has
> deliberately set filesystems that don't contain +x permission flags to
> not mount with files +x.
> D) It shouldn't run even if the filesystem does support execute
> permissions because the filesystem is mounted nosuid,noexec.
> 
> I come back to my computer, there is no longer any usb devices plugged
> in, my computer is still locked and logged in as me, what evidence do I
> have that my assignment has been stolen?

It actually still needs user interaction.  Part of the spec specifies
autorun scripts must pop up a dialog to ask if the user wishes to run
the script.

BTW I think there are a couple of arguments going on here and they are
getting a bit merged into one another:

1) should we have an exec bit on desktop files in the autostart director
in the the users home directory

2) should we have an exec bit for autorun scripts on removable media?

3) should we allow an autorun.desktop file to also be parsed and run on
removable media

My options:

1) is not so clear (a.k.a. I really don't care)

2) most definitely, why break traditional Unix paradigms when you don't
have to?  It is a script, scripts have an executable bit when not set
you would have to run indirectly.  We are not in the business of getting
around or ignoring established security protocol.

3) I don't think so.  Complicates things a bit if we allow this.

-- 
John (J5) Palmieri <johnp at redhat.com>