.desktop files, serious security hole, virus-friendliness

Rodney Dawes dobey at novell.com
Tue Apr 4 23:56:27 EEST 2006 

On Tue, 2006-04-04 at 21:38 +0100, Dave Cridland wrote:
> On Tue Apr  4 20:03:14 2006, Mark Seaborn wrote:
> > A user might receive a tar file as an attachment, open it 
> > (presumably
> > causing it to be unpacked to a temporary directory), double-click 
> > the
> > .desktop file -- and thereby give an untrusted program access to 
> > their
> > whole user account without warning.
> 
> a) They could do that with a binary, too, or a shell script. This is 
> not special to .desktop files, whether +x or not.

Exactly. So what's the point? Why bother making a crap desktop file that
can't really do all that much anyway, when I can just send you an
actual binary that /will/ get run when you double-click it in the
archiver application or file manager? Better yet, why don't I just write
a win32 binary, which does some nasty stuff on Linux, and let you open
it with Wine, without requiring it to be +x, since you aren't running it
directly from the shell, as you're double-clicking it in the file
manager?

> b) Double-clicking on a .desktop file in file-roller opens it in 
> gedit. (Whether it's +x or not, as it happens, because I checked).

But everyone doesn't open tar archives in file-roller and use Evolution
to read their mail and open attachments from. How does this behave in
KDE? XFCE? Thunderbird? Various other things which the user may receive
tar files through? GNOME isn't the only thing we need to care about with
a solution here.

> c) Does mandating +x make things harder, or easier, for an attacker?

It makes it indifferent for the most part. If the user is going to
listen to the attacker and run the file anyway, what's to stop them from
just saying "you have to run chmod +x $filename in a terminal to use
this thing". This is what the RealPlayer Linux install page said for a
number of years, when the installer was offered as a .bin that you run.
Plenty of things shipped as .shar files have said this too. It's not
like it's exactly uncommon in the world of unix, to require setting the
+x bit, before you can run it. I don't think extending that requirement
to desktop files is going to solve anything. It's going to make it more
of a pain for developers of valid software, than it is for attackers.

-- dobey

More information about the xdg mailing list