From kde-core-devel  Sun Feb 22 02:43:53 2009
From: Michael Pyne <mpyne () purinchu ! net>
Date: Sun, 22 Feb 2009 02:43:53 +0000
To: kde-core-devel
Subject: Re: [PATCH] .desktop security ++
Message-Id: <200902212143.53592.mpyne () purinchu ! net>
X-MARC-Message: https://marc.info/?l=kde-core-devel&m=123527067312751
MIME-Version: 1
Content-Type: multipart/mixed; boundary="--nextPart24728088.zscBd2J1jP"

--nextPart24728088.zscBd2J1jP
Content-Type: multipart/mixed;
  boundary="Boundary-02=_pvLoJJQQeCPkWAa"
Content-Transfer-Encoding: 7bit


--Boundary-02=_pvLoJJQQeCPkWAa
Content-Type: multipart/alternative;
  boundary="Boundary-01=_pvLoJdbiTalvBOi"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--Boundary-01=_pvLoJdbiTalvBOi
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable

On Saturday 21 February 2009, Michael Pyne wrote:
> Hi all,
>
> I've implemented the auto-exec-bit-ifying of .desktop files in KRun and
> made the changes suggested in the last couple of threads, including using
> owned-by- root as an exception as originally discussed instead of merely
> "not writable by user".
>
> Currently the work is in 3 patches (all attached):

2 more patches now to fix the Link to Application template (for a total of =
5):

patch 4 simply adds the #!/usr/bin/env xdg-open header to the Application=20
template desktop file

patch 5 adds support for adding the +x bit to new application links.  Only =
the=20
user's executable bit is added, is it a good idea to add owner/group as wel=
l? =20
I made sure to use KIO in case a Link to Application is created remotely, s=
o=20
that part works even remotely (KPropertiesDialog, as it turns out, did not=
=20
though :( ).

I would assume Plasma would still need to be fixed as well but I haven't=20
looked at it yet.

=46inally, I'm still uneasy at having a dialog that can be clicked-thru for=
=20
=2Edesktop files to run them this way.  So what do you think about having s=
ome=20
kind of minimum-time-to-dialog where if the user tries to click on the=20
=2Edesktop file within, say, 10 minutes of creating it that it simply opens=
 up=20
its properties dialog?  After 10 minutes the dialog would appear on click. =
=20
Note that this would only happen after creating a .desktop file not via Pla=
sma=20
(since that will be fixed) or Link to Application.

Regards,
 - Michael Pyne

--Boundary-01=_pvLoJdbiTalvBOi
Content-Type: text/html;
  charset="utf-8"
Content-Transfer-Encoding: 7bit

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/REC-html40/strict.dtd"><html><head><meta name="qrichtext" content="1" /><style type="text/css">p, li { white-space: pre-wrap; }</style></head><body style=" font-family:'Droid Sans Mono'; font-size:10pt; font-weight:400; font-style:normal;">On Saturday 21 February 2009, Michael Pyne wrote:<br>
&gt; Hi all,<br>
&gt;<br>
&gt; I've implemented the auto-exec-bit-ifying of .desktop files in KRun and<br>
&gt; made the changes suggested in the last couple of threads, including using<br>
&gt; owned-by- root as an exception as originally discussed instead of merely<br>
&gt; "not writable by user".<br>
&gt;<br>
&gt; Currently the work is in 3 patches (all attached):<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>2 more patches now to fix the Link to Application template (for a total of 5):<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>patch 4 simply adds the #!/usr/bin/env xdg-open header to the Application template desktop file<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>patch 5 adds support for adding the +x bit to new application links.  Only the user's executable bit is added, is it a good idea to add owner/group as well?  I made sure to use KIO in case a Link to Application is created remotely, so that part works even remotely (KPropertiesDialog, as it turns out, did not though :( ).<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>I would assume Plasma would still need to be fixed as well but I haven't looked at it yet.<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>Finally, I'm still uneasy at having a dialog that can be clicked-thru for .desktop files to run them this way.  So what do you think about having some kind of minimum-time-to-dialog where if the user tries to click on the .desktop file within, say, 10 minutes of creating it that it simply opens up its properties dialog?  After 10 minutes the dialog would appear on click.  Note that this would only happen after creating a .desktop file not via Plasma (since that will be fixed) or Link to Application.<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>Regards,<br>
 - Michael Pyne</p></body></html>
--Boundary-01=_pvLoJdbiTalvBOi--

--Boundary-02=_pvLoJJQQeCPkWAa
Content-Type: text/x-patch;
  charset="UTF-8";
  name="brouhaha-005-kpropertiesdialog.patch"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="brouhaha-005-kpropertiesdialog.patch"

Index: kio/kfile/kpropertiesdialog.cpp
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=2D-- kio/kfile/kpropertiesdialog.cpp	(revision 929650)
+++ kio/kfile/kpropertiesdialog.cpp	(working copy)
@@ -1414,6 +1414,27 @@
           job->exec();
       }
   }
+
+  // "Link to Application" templates need to be made executable
+  // Instead of matching against a filename we check if the destination
+  // is an Application now.
+  if ( d->m_bFromTemplate ) {
+    // destination is not necessarily local, use the src template
+    KDesktopFile templateResult ( static_cast<KIO::CopyJob*>(job)->srcUrls=
().first().toLocalFile() );
+    if ( templateResult.hasApplicationType() ) {
+      // We can either stat the file and add the +x bit or use the larger =
chmod() job
+      // with a umask designed to only touch u+x.  This is only one KIO jo=
b, so let's
+      // do that.
+
+      KFileItem appLink ( properties->item() );
+      KFileItemList fileItemList;
+      fileItemList << appLink;
+
+      // first 0100 adds u+x, second 0100 only allows chmod to change u+x
+      KIO::Job* chmodJob =3D KIO::chmod( fileItemList, 0100, 0100, QString=
(), QString(), KIO::HideProgressInfo );
+      chmodJob->exec();
+    }
+  }
 }
=20
 void KFilePropsPlugin::applyIconChanges()

--Boundary-02=_pvLoJJQQeCPkWAa
Content-Type: text/x-patch;
  charset="UTF-8";
  name="brouhaha-004-program-template.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename="brouhaha-004-program-template.patch"

Index: apps/lib/konq/Templates/Program.desktop
===================================================================
--- apps/lib/konq/Templates/Program.desktop	(revision 928782)
+++ apps/lib/konq/Templates/Program.desktop	(working copy)
@@ -1,3 +1,4 @@
+#!/usr/bin/env xdg-open
 [Desktop Entry]
 Exec=
 Icon=exec

--Boundary-02=_pvLoJJQQeCPkWAa--

--nextPart24728088.zscBd2J1jP
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEABECAAYFAkmgu+kACgkQqjQYp5Omm0pVDwCfbBcWEZXNb7uTRqcSPl7hf0uK
JMwAniixQh5KnRwCM+Ku+qzqqbxN4FBU
=RhlM
-----END PGP SIGNATURE-----

--nextPart24728088.zscBd2J1jP--