.desktop files, serious security hole, virus-friendliness

Benedikt Meurer benny at xfce.org
Mon Apr 3 17:54:46 EEST 2006


Rodney Dawes wrote:
>>2. do you think we should fix it?
> 
> I don't think we should rely on the +x bit. The point of the +x bit, is
> that you can run the thing, from anywhere. Just setting it +x won't let
> you run it from the shell. You'd have to change the spec to specify an
> implementation to be an interpreter that works on the console, and that
> the first line of .desktop files be #!/path/to/interpreter, which may
> differ between systems. This would be quite bad and annoying, for the
> user to deal with.

I agree that requiring +x on .desktop files is pretty useless (most
users will simply chmod +x the files as read on <some forum>).

I'd propose to optionally include a digital signature for the Exec field
(i.e. add an ExecSignature field to the spec) and let the file manager
ask the user whether he/she trusts the signee or popup a warning if no
signature is present. Distributions should then ship with a good default
set of trusted certificates (i.e. for Gnome, KDE, Xfce, etc.), so users
shouldn't see the warning unless they're trying to execute a
virus.desktop or a .desktop file whose signee is not yet in the trustdb.

While its still possible that users simply click "OK" without paying
attention to the warning, it is atleast possible for the file manager to
display useful information about the problem, like "You're trying to
execute software from RedHat. Do you trust RedHat?", instead of just
"The x bit for the .desktop file is not set".

> -- dobey

Benedikt



More information about the xdg mailing list