Concerning autostart-spec

Waldo Bastian bastian at kde.org
Wed Mar 15 09:14:49 EET 2006


This isn't about executable bits but about not executing binary program files. 
I will adjust the wording to make this more clear.

Cheers,
Waldo

On Tuesday 14 March 2006 11:22, Peter wrote:
> I have a concern about autoopen in the autostart-spec.  I'll start with
> a quote:
>
> The relative path MUST NOT point to an executable file. ... If the
> relative path points to an executable file then the desktop environment
> MUST NOT execute the file.
>
> I don't know exactly how Windows-free you guys are, but consider if
> someone wants a cross-platform medium of some kind.  They would
> certainly want Windows to read it, and Windows formats often don't have
> executable bits.  These mediums get mounted with EVERY file marked
> executable, at least on every Unix (which pretty much means Linux ;)
> I've tried it with.  Seeing as though this part of the spec is most
> foreseeably useful for cdroms, I'll point you to something I did a quick
> Google for:
>
> http://aplawrence.com/Bofcusm/1324.html
>
> So far this is sapping the spec of its usefulness.  I did a search in
> the archives, and someone else seemed to mention that directories are
> also valid candidates for autoopen.  I agree.
>
> I understand that this is a matter of security; however, I would suggest
> that the execute bit be explicitly ignored.  Hopefully this wouldn't
> result in kludgey vfs work-arounds.  On that note, I'll again quote the
> spec:
>
> When an Autoopen file has been detected and the user has confirmed that
> the file indicated in the Autoopen file should be opened then the file
> indicated in the Autoopen file MUST be opened in the application
> normally preferred by the user for files of its kind UNLESS the user
> instructed otherwise.
>
> This implies that the user "MUST" be prompted (shouldn't this be
> explicit to avoid mis-interpretations?) and be given the same
> responsibility one requires when opening any media, visiting any
> website, or otherwise using one's computer.  This seems simple enough to
> me.  Removing the execute bit and prompting the user will give the same
> level of security that would otherwise be given without the execute bit
> in the first place.
>
> Hopefully I haven't wasted your time with something that has been
> addressed. _______________________________________________
> xdg mailing list
> xdg at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/xdg

-- 
Linux Client Architect - Channel Platform Solutions Group - Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.freedesktop.org/archives/xdg/attachments/20060314/9b98032e/attachment.pgp 


More information about the xdg mailing list