.desktop file security
John Tapsell
johnflux at gmail.com
Wed Feb 25 01:43:16 PST 2009
2009/2/25 Patryk Zawadzki <patrys at pld-linux.org>:
> On Wed, Feb 25, 2009 at 10:10 AM, John Tapsell <johnflux at gmail.com> wrote:
>> Are you suggesting some sort of collaborative situation where you want
>> some people to trust the .desktop file and others not? I can't even
>> imagine such a situation.
>
> No, I'm suggesting a situation where you have to sometimes work with
> files you don't own. Imagine me being evil and creating a file in the
> middle of a source tree:
>
> [Desktop Entry]
> Name=fixme.c
> Icon=text-x-generic
> Terminal=false
> Type=Application
> Exec=some-evil-password-sniffer
>
> I can certainly mark the file as executable by you but that does not
> make it a trusted one.
Okay, but you could also do the same for a bash script. We aren't
proposing to try to solve that problem at all.
John
More information about the xdg
mailing list