.desktop files, serious security hole, virus-friendliness
Dave Cridland
dave at cridland.net
Tue Apr 4 23:38:26 EEST 2006
On Tue Apr 4 20:03:14 2006, Mark Seaborn wrote:
> A user might receive a tar file as an attachment, open it
> (presumably
> causing it to be unpacked to a temporary directory), double-click
> the
> .desktop file -- and thereby give an untrusted program access to
> their
> whole user account without warning.
a) They could do that with a binary, too, or a shell script. This is
not special to .desktop files, whether +x or not.
b) Double-clicking on a .desktop file in file-roller opens it in
gedit. (Whether it's +x or not, as it happens, because I checked).
c) Does mandating +x make things harder, or easier, for an attacker?
Dave.
--
You see things; and you say "Why?"
But I dream things that never were; and I say "Why not?"
- George Bernard Shaw
More information about the xdg
mailing list