Security issue with .desktop files revisited
mike at plan99.net
Tue Mar 28 18:01:20 EEST 2006
Francois Gouget wrote:
> Well, in my proposal, only untrusted files need the untrusted EA bit
> set. So backward compatibility is not broken.
Right, I'm just exploring ways to achieve that without requiring EAs.
> Surely, requiring that web browsers and email tools make all the files
> they save executable cannot be good for security...
Only .desktop files, and right now +x on such a file is meaningless anyway.
> Which is kind of the opposite of its normal meaning which can be taken
> to be 'I trust this file enough that I am willing to execute it'.
Yes, it's unintuitive to reverse the meaning like that, but it does have
the advantage of not requiring EAs (which don't travel through standard
tarballs, network filing systems) and not breaking backwards compatibility.
More information about the xdg