Security issue with .desktop files revisited

Waldo Bastian bastian at
Sat Apr 8 08:43:03 EEST 2006

On Tuesday 28 March 2006 11:27, Francois Gouget wrote:
> Mike Hearn wrote:
> [...]
> > To reiterate, the security problem here is that something which is a
> > program can make itself look like a document by using a .desktop file.
> Right, that was the initial problem. But your proposals to use the +x
> permission bit to fix it creates a lot more security issues that they
> fix. Claiming they are unrelated is ridiculous.
> > The fact that +x bits have some other meaning for shell scripts and
> >
>  > ELF files isn't related .....
> The meaning of the +x bit is defined by the exec() Unix system call. It
> does not matter to that system call whether the file is a shell script,
> an ELF binary or a desktop file. You can say what you want, it *is*
> related.
> When considering security issues you must always consider the whole
> system, not just the one small aspect you are interested in. Failure to
> do so results in opening more security holes than you plug.

I think it's a sane idea to require +x on .desktop files in order for a file 
browser or "Desktop" to execute the .desktop file. It shouldn't be too much 
of a problem to add a #!/usr/bin/xdg-open line to the format either, although 
it my take a while before applications actually start to add that.

Linux Client Architect - Channel Platform Solutions Group - Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : 

More information about the xdg mailing list