Security issue with .desktop files revisited

Francois Gouget fgouget at
Tue Mar 28 22:40:46 EEST 2006

Thiago Macieira wrote:
>>Now if desktop files were to start with '#!/usr/bin/whatever', then
>>making the trusted ones executable could make sense.
> #!/bin/false

I was thinking more of something along the lines of 
'#!/usr/bin/run_desktop_file'. Desktop files are equivalent to shell 
scripts anyway. The only thing missing is that one cannot use them 
transparently because exec() does not know what to do with them. This 
limits their use to a few Freeesktop-aware applications. Adding the 
above line and making _trusted_ desktop files executable would fix this 

> There's also the sticky bit.

While not introducing security issues that I can see, this would still 
be really really ugly. What next?
Gimp putting the sticky bit on images to help identify black and white 
images? OpenOffice using the sticky bit to help the user identify which 
files he modified?

Permission bits are not there just for anyone to redefine on a whim!

Francois Gouget
fgouget at

More information about the xdg mailing list