Security issue with .desktop files revisited

Rodney Dawes dobey at novell.com
Thu Apr 13 00:52:47 EEST 2006


On Wed, 2006-04-12 at 21:30 +0200, Thiago Macieira wrote:
> Rodney Dawes wrote:
> >actually use their computer. And .desktop files are in fact data and
> >not executable scripts. Requiring +x just requires you to make them
> >behave more like scripts.
> 
> The fact that you can write a whole shell script in the Exec= line 
> makes .desktop files de-facto scripts. They are shell scripts with a 
> special syntax and one that allows you to change the icon.

But you cannot execute it directly with the shell. You must extract the
specific contents of the Exec field, and pass them to a shell
interpreter. This is no different than embedding php or ruby within an
HTML document. It's still an HTML document, but may be processed to
deal with other embedded parts of it. By your semantics, PDFs which
contain JavaScript to be interepreted by Acrobat, are now JS scripts,
rather than PDF documents. This just simply isn't the case.

What would make .desktop files be shell scripts, is requiring them to
be +x, and requiring the first line to point an interpreter for them,
so that they may be executed directly on the command line. This also
extends the habit mentioned below, which is problematic, rather than
prevents it.

> >Users are going to just get into the habit of always doing chmod
> >+x, as we have already been doing for perl/python/etc... scripts that
> >we download off the web.
> 
> If they have that habit, they may be doing even nastier things than what a 
> shell script is capable of. A Perl script could be complex enough to 
> install backdoors and log keystrokes.
> 
> >Setting +x is not a solution, it's a problem.
> 
> I don't see how enforcing the bit could cause more harm than right now.

Because, as a user, I now have to make every .desktop file I want to
create, have the +x bit. This means you encouraging the habit mentioned
above, which you also agree is even more problematic.


Let's fix the semantics for handling of the Icon field in the spec to
start with, and then go from there. One of the main concerns seems to
be that people are worried that .desktop files can specify their icon
as that of a MIME type. So, let's get something written up for the spec
to deal with this, and get it in, and get the implementations fixed to
handle it, and then look at fixing handling of Exec. Of course, this
won't actually work with the Tango theme in a lot of cases, as it
strives to only provide generic MIME type icons. :) 

-- dobey





More information about the xdg mailing list