'Re: requiring .desktop files to be executable ?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Re: requiring .desktop files to be executable ?
From:       Michael Pyne <mpyne () purinchu ! net>
Date:       2009-02-22 6:20:44
Message-ID: 200902220120.44730.mpyne () purinchu ! net
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


On Sunday 22 February 2009, Roland Harnau wrote:
> 2009/2/11 Alexander Neundorf <neundorf@kde.org>:
> > here's an article and comments about potential security problems
> > with "executing" .desktop files although they are not executable:
> > http://lwn.net/Articles/318755/
>
> Perhaps I'm a bit late, but I think the whole idea is rather dubious.
> A .desktop file is executable if and only if it contains a (vaild)
> Exec key, and according to the Desktop Entry Specification this key is
> not required (e.g. .desktop files for Plasmoids do not contain them).
> They simply don't fit in the classical UNIX permission scheme.

The subset of .desktop files with a valid Exec= key on the other hand 
certainly should fit within that scheme however.

Regards,
 - Michael Pyne

[Attachment #5 (text/html)]

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" \
"http://www.w3.org/TR/REC-html40/strict.dtd"><html><head><meta name="qrichtext" content="1" /><style \
type="text/css">p, li { white-space: pre-wrap; }</style></head><body style=" font-family:'Droid Sans \
Mono'; font-size:10pt; font-weight:400; font-style:normal;">On Sunday 22 February 2009, Roland Harnau \
wrote:<br> &gt; 2009/2/11 Alexander Neundorf &lt;neundorf@kde.org&gt;:<br>
&gt; &gt; here's an article and comments about potential security problems<br>
&gt; &gt; with "executing" .desktop files although they are not executable:<br>
&gt; &gt; http://lwn.net/Articles/318755/<br>
&gt;<br>
&gt; Perhaps I'm a bit late, but I think the whole idea is rather dubious.<br>
&gt; A .desktop file is executable if and only if it contains a (vaild)<br>
&gt; Exec key, and according to the Desktop Entry Specification this key is<br>
&gt; not required (e.g. .desktop files for Plasmoids do not contain them).<br>
&gt; They simply don't fit in the classical UNIX permission scheme.<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; \
-qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>The subset of .desktop files with a valid \
Exec= key on the other hand certainly should fit within that scheme however.<br> <p \
style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; \
                -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>Regards,<br>
 - Michael Pyne</p></body></html>


["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic