Security issue with .desktop files revisited
Francois Gouget
fgouget at codeweavers.com
Tue Mar 28 22:40:46 EEST 2006
Thiago Macieira wrote:
[...]
>>Now if desktop files were to start with '#!/usr/bin/whatever', then
>>making the trusted ones executable could make sense.
>
> #!/bin/false
I was thinking more of something along the lines of
'#!/usr/bin/run_desktop_file'. Desktop files are equivalent to shell
scripts anyway. The only thing missing is that one cannot use them
transparently because exec() does not know what to do with them. This
limits their use to a few Freeesktop-aware applications. Adding the
above line and making _trusted_ desktop files executable would fix this
oversight.
> There's also the sticky bit.
While not introducing security issues that I can see, this would still
be really really ugly. What next?
Gimp putting the sticky bit on images to help identify black and white
images? OpenOffice using the sticky bit to help the user identify which
files he modified?
Permission bits are not there just for anyone to redefine on a whim!
--
Francois Gouget
fgouget at codeweavers.com
More information about the xdg
mailing list