.desktop files, serious security hole, virus-friendliness

Dave Cridland dave at cridland.net
Tue Apr 4 23:38:26 EEST 2006


On Tue Apr  4 20:03:14 2006, Mark Seaborn wrote:
> A user might receive a tar file as an attachment, open it 
> (presumably
> causing it to be unpacked to a temporary directory), double-click 
> the
> .desktop file -- and thereby give an untrusted program access to 
> their
> whole user account without warning.

a) They could do that with a binary, too, or a shell script. This is 
not special to .desktop files, whether +x or not.
b) Double-clicking on a .desktop file in file-roller opens it in 
gedit. (Whether it's +x or not, as it happens, because I checked).
c) Does mandating +x make things harder, or easier, for an attacker?

Dave.
-- 
           You see things; and you say "Why?"
   But I dream things that never were; and I say "Why not?"
    - George Bernard Shaw



More information about the xdg mailing list