Security issue with .desktop files revisited

Thiago Macieira thiago at kde.org
Tue Apr 11 09:40:33 EEST 2006


Joe Baker wrote:
>What about when the KDE desktop is deployed on top of a FAT32 filesystem
>which doesn't allow for UNIX style file attributes?  The desktop system
>introduced this vulnerability, it should close it within it's own
>architecture.

First of all, this doesn't work. I don't think KDE runs on top of FAT32 
since that filesystem is too limited (I think we require hardlinking). I 
might be wrong, though.

Second, as has been explained, if you can't have +x/-x security, 
then .desktop files aren't the problem. Scripts and other binaries will 
become executable too without user intervention. So we go back 
to .desktop and other executables being on the same boat.

-- 
Thiago Macieira  -  thiago (AT) macieira.info - thiago (AT) kde.org
  thiago.macieira (AT) trolltech.com     Trolltech AS
    GPG: 0x6EF45358                   |  Sandakerveien 116,
    E067 918B B660 DBD1 105C          |  NO-0402
    966C 33F5 F005 6EF4 5358          |  Oslo, Norway
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
Url : http://lists.freedesktop.org/archives/xdg/attachments/20060411/4c4a4bd9/attachment.pgp 


More information about the xdg mailing list