Security issue with .desktop files revisited
Thiago Macieira
thiago at kde.org
Tue Apr 11 09:40:33 EEST 2006
Joe Baker wrote:
>What about when the KDE desktop is deployed on top of a FAT32 filesystem
>which doesn't allow for UNIX style file attributes? The desktop system
>introduced this vulnerability, it should close it within it's own
>architecture.
First of all, this doesn't work. I don't think KDE runs on top of FAT32
since that filesystem is too limited (I think we require hardlinking). I
might be wrong, though.
Second, as has been explained, if you can't have +x/-x security,
then .desktop files aren't the problem. Scripts and other binaries will
become executable too without user intervention. So we go back
to .desktop and other executables being on the same boat.
--
Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org
thiago.macieira (AT) trolltech.com Trolltech AS
GPG: 0x6EF45358 | Sandakerveien 116,
E067 918B B660 DBD1 105C | NO-0402
966C 33F5 F005 6EF4 5358 | Oslo, Norway
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
Url : http://lists.freedesktop.org/archives/xdg/attachments/20060411/4c4a4bd9/attachment.pgp
More information about the xdg
mailing list