.desktop files, serious security hole, virus-friendliness

Mark Seaborn mrs at mythic-beasts.com
Mon Apr 3 22:23:45 EEST 2006

The real problem here is that you are forced to choose between
 * running the program with all the user's authority, and
 * not running the program at all.

If those are the only options, the best you can do is give the user a
warning when they're about to run a program with access to their whole
user account.  The design choice that remains is when to display a
warning, and when not to.  However, displaying "are you sure?" 
warnings is not terribly useful.  Usually, if a user double-clicks on
a program, they want to run it.

The answer here is to run the program with limited authority.

This is not immediately implementable, because we don't have the
infrastructure to do it, but I think it's worth considering what such
a system could look like.

The best work on this is by Ka-Ping Yee and Miriam Walker.  See "User
Interface Design for Secure Systems"
(http://www.sims.berkeley.edu/~ping/sid/uidss.pdf), and an earlier
paper (http://www.sims.berkeley.edu/~ping/sid/ideus.html).

The idea is that all of an application's powers should have been
explicitly granted to it as a result of some actions by the user.
Fortunately, this does not have to be burdensome to the user at all,
-- existing GUIs do not have to be changed much, from the user's point
of view.

For example, an "Open" or "Save As" file chooser dialog box can grant
an application the right to access the file that the user picked.  The
file chooser UI does not have to be changed, although the file chooser
must now be implemented by the system as a trusted component.

There are some systems that implement these ideas already.  Polaris
[1] will run Windows applications with limited authority under
Windows.  CapDesk [2] is a desktop GUI based around the E programming
language, written in Java.  Both allow programs to be granted
authority in a fine-grained way, using very conventional user
interface constructs.

I am working on a similar system (Plash [3]) which applies these ideas
on GNU/Linux.  It can be used to run GUI applications in sandboxes,
and it replaces Gtk's GtkFileChooserDialog so that the file chooser
will grant access rights to the application.


[1] http://www.hpl.hp.com/personal/Alan_Karp/polaris.pdf
[2] http://www.combex.com/tech/edesk.html
[3] http://plash.beasts.org

More information about the xdg mailing list