.desktop file security

John Tapsell johnflux at gmail.com
Wed Feb 25 01:43:16 PST 2009

2009/2/25 Patryk Zawadzki <patrys at pld-linux.org>:
> On Wed, Feb 25, 2009 at 10:10 AM, John Tapsell <johnflux at gmail.com> wrote:
>> Are you suggesting some sort of collaborative situation where you want
>> some people to trust the .desktop file and others not?   I can't even
>> imagine such a situation.
> No, I'm suggesting a situation where you have to sometimes work with
> files you don't own. Imagine me being evil and creating a file in the
> middle of a source tree:
> [Desktop Entry]
> Name=fixme.c
> Icon=text-x-generic
> Terminal=false
> Type=Application
> Exec=some-evil-password-sniffer
> I can certainly mark the file as executable by you but that does not
> make it a trusted one.

Okay, but you could also do the same for a bash script.  We aren't
proposing to try to solve that problem at all.


More information about the xdg mailing list