Security issue with .desktop files revisited

Francois Gouget fgouget at
Tue Mar 28 17:49:48 EEST 2006

Mike Hearn wrote:
> Here's an  idea - the problem with requiring an EA or +x to be set is it 
> breaks backwards compatibility (it'd break Crossover/Wine for one ...).

Well, in my proposal, only untrusted files need the untrusted EA bit 
set. So backward compatibility is not broken.

> But what if the logic is inverted - so the absence of +x means a file is 
> trusted, and web browsers or email programs set +x when they save a file 
> to disk?

Surely, requiring that web browsers and email tools make all the files 
they save executable cannot be good for security...

> The +x bit on a .desktop file in the users home dir is then 
> treated as a "don't trust" marker.

Which is kind of the opposite of its normal meaning which can be taken 
to be 'I trust this file enough that I am willing to execute it'.

Francois Gouget
fgouget at

More information about the xdg mailing list