[prev in list] [next in list] [prev in thread] [next in thread]
List: freedesktop-xdg
Subject: Re: Security issue with .desktop files revisited
From: Waldo Bastian <bastian () kde ! org>
Date: 2006-04-08 5:43:03
Message-ID: 200604072243.16838.bastian () kde ! org
[Download RAW message or body]
On Tuesday 28 March 2006 11:27, Francois Gouget wrote:
> Mike Hearn wrote:
> [...]
>
> > To reiterate, the security problem here is that something which is a
> > program can make itself look like a document by using a .desktop file.
>
> Right, that was the initial problem. But your proposals to use the +x
> permission bit to fix it creates a lot more security issues that they
> fix. Claiming they are unrelated is ridiculous.
>
> > The fact that +x bits have some other meaning for shell scripts and
> >
> > ELF files isn't related .....
>
> The meaning of the +x bit is defined by the exec() Unix system call. It
> does not matter to that system call whether the file is a shell script,
> an ELF binary or a desktop file. You can say what you want, it *is*
> related.
>
> When considering security issues you must always consider the whole
> system, not just the one small aspect you are interested in. Failure to
> do so results in opening more security holes than you plug.
I think it's a sane idea to require +x on .desktop files in order for a file
browser or "Desktop" to execute the .desktop file. It shouldn't be too much
of a problem to add a #!/usr/bin/xdg-open line to the format either, although
it my take a while before applications actually start to add that.
Cheers,
Waldo
--
Linux Client Architect - Channel Platform Solutions Group - Intel Corporation
[Attachment #3 (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic