On Sunday 22 February 2009, Andras Mantia wrote:
> On Sunday 22 February 2009, Michael Pyne wrote:
> > Michael Jansen reports that autostart needs an exception too.
>
> Well, we agreed with David Faure that it is not a good idea to have
> there an exception, as that is a user writable folder and the malicious
> website might say "save me in the autostart folder". ;) And I don't see
> a need to make it an exemption, rather the systemsettings module should
> make it executable when copies the .desktop file in the autostart folder.

"apps", "services", and "xdgdata-apps" are all writable by the user in this situation (a KDE install to $HOME), so checking the prefix doesn't change anything with regard to security, as the malicious website may say to "save me in `kde4-config --install apps`.

The reason I didn't notice in my own setup is that I use sudo to install to make the kscreensaver_lock work.

Regards,
- Michael Pyne