.desktop file security

[Alexander Larsson]

On Tue, 2009-02-24 at 11:55 +0100, Alexander Larsson wrote:
> On Sat, 2009-02-21 at 18:07 -0500, Michael Pyne wrote:
> > Hi all,
> > 
> > 
> > 
> > I'm just writing to let you know that I'm working on changing the
> > handling of .desktop files for the next major version of KDE. The work
> > itself is being tracked on kde-core-devel but a synopsis of the plan
> > is:
> > 
> > 
> > 
> > When launching a .desktop file (which I'll refer to as a service), if
> > any of the following conditions are true, the launch is permitted:
> > 
> > 
> > 
> > 1. The service is executable by the user
> > 2. The service is owned by root (to handle the common case of
> > system-installed files)
> > 3. The service is contained in a standard service directory. Right now
> > this means "xdgdata-apps" in addition to standard KDE service
> > locations.
> 
> I'm doing something like this in gnome. ATM its just doing 1 and 3. What
> is the common usecase for 2? Note, that my changes don't affect general
> launching of desktop files in things like the menus, only those from the
> file manager, and only for application launchers (not e.g. uri links).
> 
> Furthermore, I'm also doing:
> 4. Don't allow sniffing of desktop files, always require a .desktop
>    extension.
> 5. For untrusted desktop files, don't show the custom icon and display
>    name specified in the desktop file.

Oh, and also:

6. Make sure that launchers added to the Desktop and whatnot are marked
as executable.

7. On initial login make all desktop file launchers in the desktop dir
as executable. 

For 7, maybe we can share what file to use to see if this has been done
so that this doesn't accidentally happen twice. Say for instance
"$XDG_DATA_HOME/.converted-launchers".