.desktop files, serious security hole, virus-friendliness
sam at nipl.net
Wed Apr 5 06:02:49 EEST 2006
On Wed, Apr 05, 2006 at 12:20:35AM +0100, Scott James Remnant wrote:
> On Tue, 2006-04-04 at 20:03 +0100, Mark Seaborn wrote:
> > One problem with using the executable bit on .desktop files is that
> > the executable bit could become set without any special action by the
> > user.
> In particular, if saved to a FAT partition (USB drive) or similar.
hm. If there are crippled filesystems mounted, having +x for all files,
that's a whole separate problem. as someone pointed out, it's
orthogonal to this problem - ANY sort of executable can be saved off the
net onto a FAT or flash drive and directly executed on a unix system.
This is a different question altogether - I suppose such drives should
not by default be mounted with the +x bit set. But this is a much less
likely vector for malware. I don't think many people have their
~/Desktop on a FAT filesystem! although they might download things to a
USB drive by default.
Concerning archives, this is again a much less serious problem as the
user would have to go through more steps of accident/naivity in order to
execute the file. I would recommend that files should not be directly
executed from an archive, or that a warning should be given. But again,
this is an orthogonal problem, it's not specific to .desktop files.
At the moment, I am only wanting to deal with one problem, which is that
.desktop files can be downloaded and executed off the web or from email
attachments MUCH MORE EASILY than any other type of file.
The last time something like this was possible to my knowledge, was when
the wine package for Debian included a mailcap entry that would invoke
"wine" to run any *.exe file even if it is not marked with the +x bit.
I protested about that, and I suppose other people did too, because they
fixed the problem.
> A different approach would be a standard for saving of attachments and
> files downloaded from the Internet. E-mail clients, Web browsers, etc.
> would honour this standard, and declare their support for it as a
This would be too difficult to implement given the enormous variety of
e-mail clients and browsers.
Happily we don't yet have such a plethora of freedesktop-compilant
desktop environments, so it is still possible to fix this problem easily
in the right way.
Does anyone other than me think my proposed solution might be the right
thing to do? or can you offer some "tweaks" and criticisms to make it
better? If so, I'm happy to have a go at implementing it.
More information about the xdg