Security issue with .desktop files revisited
Thiago Macieira
thiago at kde.org
Tue Mar 28 14:01:58 EEST 2006
Dave Cridland wrote:
>You're certainly right in thinking this is a good solution, but it's
>not one open to us, because not everywhere has extended attributes
>just yet. The only common factor we have to play with on the vast
>majority of filesystems is the file mode bits. Basically, the x bit
>is currently unused, in effect, by .desktop files, so realistically
>this is a poor man's emulation of this.
We could abuse the sticky bit for that. What's also interesting, it would
show a "t" or "T" in the output of ls -l.
It has no effect on text files on Linux, nor on executables. However, the
man page for "chmod" says that, on some systems, only the superuser can
set the sticky bit. Does anyone know what such systems might be?
We'd also have to instruct download programs not to preserve the sticky
bit when downloading files from the Internet.
However, I think using the executable bit is better and making trusted
files executable. We'd treat .desktop files just like any other script.
This would require that all distributions start shipping +x .desktop
files ASAP.
--
Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org
thiago.macieira (AT) trolltech.com Trolltech AS
GPG: 0x6EF45358 | Sandakerveien 116,
E067 918B B660 DBD1 105C | NO-0402
966C 33F5 F005 6EF4 5358 | Oslo, Norway
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
Url : http://lists.freedesktop.org/archives/xdg/attachments/20060328/0e72e93d/attachment.pgp
More information about the xdg
mailing list