[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-core-devel
Subject: Re: requiring .desktop files to be executable ?
From: Michael Pyne <mpyne () purinchu ! net>
Date: 2009-02-22 6:20:44
Message-ID: 200902220120.44730.mpyne () purinchu ! net
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
On Sunday 22 February 2009, Roland Harnau wrote:
> 2009/2/11 Alexander Neundorf <neundorf@kde.org>:
> > here's an article and comments about potential security problems
> > with "executing" .desktop files although they are not executable:
> > http://lwn.net/Articles/318755/
>
> Perhaps I'm a bit late, but I think the whole idea is rather dubious.
> A .desktop file is executable if and only if it contains a (vaild)
> Exec key, and according to the Desktop Entry Specification this key is
> not required (e.g. .desktop files for Plasmoids do not contain them).
> They simply don't fit in the classical UNIX permission scheme.
The subset of .desktop files with a valid Exec= key on the other hand
certainly should fit within that scheme however.
Regards,
- Michael Pyne
[Attachment #5 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" \
"http://www.w3.org/TR/REC-html40/strict.dtd"><html><head><meta name="qrichtext" content="1" /><style \
type="text/css">p, li { white-space: pre-wrap; }</style></head><body style=" font-family:'Droid Sans \
Mono'; font-size:10pt; font-weight:400; font-style:normal;">On Sunday 22 February 2009, Roland Harnau \
wrote:<br> > 2009/2/11 Alexander Neundorf <neundorf@kde.org>:<br>
> > here's an article and comments about potential security problems<br>
> > with "executing" .desktop files although they are not executable:<br>
> > http://lwn.net/Articles/318755/<br>
><br>
> Perhaps I'm a bit late, but I think the whole idea is rather dubious.<br>
> A .desktop file is executable if and only if it contains a (vaild)<br>
> Exec key, and according to the Desktop Entry Specification this key is<br>
> not required (e.g. .desktop files for Plasmoids do not contain them).<br>
> They simply don't fit in the classical UNIX permission scheme.<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; \
-qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>The subset of .desktop files with a valid \
Exec= key on the other hand certainly should fit within that scheme however.<br> <p \
style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; \
-qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>Regards,<br>
- Michael Pyne</p></body></html>
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic