.desktop file security

Alexander Larsson alexl at redhat.com
Tue Feb 24 05:51:56 PST 2009


On Tue, 2009-02-24 at 13:22 +0000, John Tapsell wrote:
> <snip>
> > 7. On initial login make all desktop file launchers in the desktop dir
> > as executable.
> >
> > For 7, maybe we can share what file to use to see if this has been done
> > so that this doesn't accidentally happen twice. Say for instance
> > "$XDG_DATA_HOME/.converted-launchers".
> 
> I prefered mpyne's approach in just assuming all the current .desktops
> are bad.  Make it only a once-off confirmation to the user to convert.
>  That should be good enough.

You mean once-off per desktop file? Or a once off dialog on login for
all files in the desktop?

I think this is kinda wrong. Since we previously never required +x for
the desktop files any already existing launchers are implicitly trusted.
They were previously trusted, and the user probably ran them at least
once. So, if they were a "attach" the user is already "infected" and
adding +x to the file doesn't make much of a difference.



More information about the xdg mailing list