.desktop file security

Michael Pyne mpyne at purinchu.net
Sat Feb 21 15:07:04 PST 2009 

Hi all,

I'm just writing to let you know that I'm working on changing the handling of 
.desktop files for the next major version of KDE.  The work itself is being 
tracked on kde-core-devel but a synopsis of the plan is:

When launching a .desktop file (which I'll refer to as a service), if any of 
the following conditions are true, the launch is permitted:

1. The service is executable by the user
2. The service is owned by root (to handle the common case of system-installed 
files)
3. The service is contained in a standard service directory.  Right now this 
means "xdgdata-apps" in addition to standard KDE service locations.

In the event that the launch would have been forbidden based on the preceding 
restrictions, the user is given the option of automatically making the service 
executable and then launching.  Although this part makes me a bit queasy I 
think it's the best option to easily allow existing Desktop icons, panel 
launchers, etc. to continue to work.

If the file is made executable automatically it is given a "#!/usr/bin/env 
xdg-open" header as well if it did not already have a #! header so that 
running the file from the command line will do the right thing.

Are there any thoughts or anything I need to implement to allow 
GNOME/Xfce/etc. launchers to continue to work?  I would expect that the second 
exemption combined with xdgdata-apps in the third would be sufficient but 
now's the time to let me know if that's not the case.

I've subscribed for the purposes of this discussion so you don't have to CC me 
(unless I don't answer after a day I guess) ;).

Regards,
 - Michael Pyne
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freedesktop.org/archives/xdg/attachments/20090221/465c9a12/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
Url : http://lists.freedesktop.org/archives/xdg/attachments/20090221/465c9a12/attachment.pgp

More information about the xdg mailing list