--nextPart3739365.TR9Y6PFBOV
Content-Type: multipart/alternative;
  boundary="Boundary-01=_IBdoJk4ElUCIn5h"
Content-Transfer-Encoding: 7bit

--Boundary-01=_IBdoJk4ElUCIn5h
Content-Type: text/plain;
  charset="iso-8859-15"
Content-Transfer-Encoding: quoted-printable

On Sunday 22 February 2009, Andras Mantia wrote:
> On Sunday 22 February 2009, Michael Pyne wrote:
> > Michael Jansen reports that autostart needs an exception too.
>
> Well, we agreed with David Faure that it is not a good idea to have
> there an exception, as that is a user writable folder and the malicious
> website might say "save me in the autostart folder". ;)  And I don't see
> a need to make it an exemption, rather the systemsettings module should
> make it executable when copies the .desktop file in the autostart folder.

"apps", "services", and "xdgdata-apps" are all writable by the user in this=
=20
situation (a KDE install to $HOME), so checking the prefix doesn't change=20
anything with regard to security, as the malicious website may say to "save=
 me=20
in `kde4-config --install apps`.

The reason I didn't notice in my own setup is that I use sudo to install to=
=20
make the kscreensaver_lock work.

Regards,
 - Michael Pyne

--Boundary-01=_IBdoJk4ElUCIn5h
Content-Type: text/html;
  charset="iso-8859-15"
Content-Transfer-Encoding: 7bit

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/REC-html40/strict.dtd"><html><head><meta name="qrichtext" content="1" /><style type="text/css">p, li { white-space: pre-wrap; }</style></head><body style=" font-family:'Droid Sans Mono'; font-size:10pt; font-weight:400; font-style:normal;">On Sunday 22 February 2009, Andras Mantia wrote:<br>
&gt; On Sunday 22 February 2009, Michael Pyne wrote:<br>
&gt; &gt; Michael Jansen reports that autostart needs an exception too.<br>
&gt;<br>
&gt; Well, we agreed with David Faure that it is not a good idea to have<br>
&gt; there an exception, as that is a user writable folder and the malicious<br>
&gt; website might say "save me in the autostart folder". ;)  And I don't see<br>
&gt; a need to make it an exemption, rather the systemsettings module should<br>
&gt; make it executable when copies the .desktop file in the autostart folder.<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>"apps", "services", and "xdgdata-apps" are all writable by the user in this situation (a KDE install to $HOME), so checking the prefix doesn't change anything with regard to security, as the malicious website may say to "save me in `kde4-config --install apps`.<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>The reason I didn't notice in my own setup is that I use sudo to install to make the kscreensaver_lock work.<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>Regards,<br>
 - Michael Pyne</p></body></html>
--Boundary-01=_IBdoJk4ElUCIn5h--

--nextPart3739365.TR9Y6PFBOV
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEABECAAYFAkmh0EwACgkQqjQYp5Omm0plYwCg3v1crZVmtXRK5M5oF/PrxCgs
rXEAoLqNY6yK/eDXur4rCdN0AEBW8yb9
=pJ+O
-----END PGP SIGNATURE-----

--nextPart3739365.TR9Y6PFBOV--