Security issue with .desktop files revisited

Francois Gouget fgouget at codeweavers.com
Tue Mar 28 22:27:07 EEST 2006


Mike Hearn wrote:
[...]
> To reiterate, the security problem here is that something which is a 
> program can make itself look like a document by using a .desktop file.

Right, that was the initial problem. But your proposals to use the +x 
permission bit to fix it creates a lot more security issues that they 
fix. Claiming they are unrelated is ridiculous.

> The fact that +x bits have some other meaning for shell scripts and
 > ELF files isn't related .....

The meaning of the +x bit is defined by the exec() Unix system call. It 
does not matter to that system call whether the file is a shell script, 
an ELF binary or a desktop file. You can say what you want, it *is* related.

When considering security issues you must always consider the whole 
system, not just the one small aspect you are interested in. Failure to 
do so results in opening more security holes than you plug.


-- 
Francois Gouget
fgouget at codeweavers.com



More information about the xdg mailing list