.desktop files, serious security hole, virus-friendliness

Rodney Dawes dobey at novell.com
Mon Apr 3 16:48:25 EEST 2006

First off, you apparently missed the whole thread about this, which was
started on March 23. You might want to look at the archives and read
through it. The replies extend into April.


On Sun, 2006-04-02 at 22:29 -0700, Sam Watkins wrote:
> 1. do you agree that this is a serious security problem?

I don't think it is a serious security problem. While it does expose
the ability to run shell commands from the .desktop file, it doesn't
seem likely that many people will do it. I mean, Windows has had
shortcut files which are pretty much exactly the same as our .desktop
files, and you never hear of anyone doing specific attacks like you
suggest would be done. There are much more interesting ways to do them,
than to have a .desktop file with an icon/label that lies about itself.

> 2. do you think we should fix it?

I don't think we should rely on the +x bit. The point of the +x bit, is
that you can run the thing, from anywhere. Just setting it +x won't let
you run it from the shell. You'd have to change the spec to specify an
implementation to be an interpreter that works on the console, and that
the first line of .desktop files be #!/path/to/interpreter, which may
differ between systems. This would be quite bad and annoying, for the
user to deal with.

However, what I /do/ think we should do, is to fix the spec, and the
implementations, to more clearly define and interpret the Exec field.
The problem raelly is that it's fairly arbitrary in what it allows.
Clarifying that to be more specific, to disallow language interpretation
from the .desktop file, would help a lot more than just +x, I think.
You could easily default a download to +x, simply by putting it within
an archive which does preserve permission bits. The attacker could quite
easily put the .desktop file in a .tar, and when the user downloads it,
and opens it, they see a file in the archive utility, and then run it,
and since it has the +x already, we would just run it. It doesn't seem
like that is much of a solution to me. :)

-- dobey

More information about the xdg mailing list