[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-core-devel
Subject: Re: .desktop security changes are committed
From: Michael Pyne <mpyne () purinchu ! net>
Date: 2009-02-22 22:23:04
Message-ID: 200902221723.08593.mpyne () purinchu ! net
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
On Sunday 22 February 2009, Andras Mantia wrote:
> On Sunday 22 February 2009, Michael Pyne wrote:
> > Michael Jansen reports that autostart needs an exception too.
>
> Well, we agreed with David Faure that it is not a good idea to have
> there an exception, as that is a user writable folder and the malicious
> website might say "save me in the autostart folder". ;) And I don't see
> a need to make it an exemption, rather the systemsettings module should
> make it executable when copies the .desktop file in the autostart folder.
"apps", "services", and "xdgdata-apps" are all writable by the user in this
situation (a KDE install to $HOME), so checking the prefix doesn't change
anything with regard to security, as the malicious website may say to "save me
in `kde4-config --install apps`.
The reason I didn't notice in my own setup is that I use sudo to install to
make the kscreensaver_lock work.
Regards,
- Michael Pyne
[Attachment #5 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" \
"http://www.w3.org/TR/REC-html40/strict.dtd"><html><head><meta name="qrichtext" \
content="1" /><style type="text/css">p, li { white-space: pre-wrap; \
}</style></head><body style=" font-family:'Droid Sans Mono'; font-size:10pt; \
font-weight:400; font-style:normal;">On Sunday 22 February 2009, Andras Mantia \
wrote:<br> > On Sunday 22 February 2009, Michael Pyne wrote:<br>
> > Michael Jansen reports that autostart needs an exception too.<br>
><br>
> Well, we agreed with David Faure that it is not a good idea to have<br>
> there an exception, as that is a user writable folder and the malicious<br>
> website might say "save me in the autostart folder". ;) And I don't see<br>
> a need to make it an exemption, rather the systemsettings module should<br>
> make it executable when copies the .desktop file in the autostart folder.<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; \
margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; \
-qt-user-state:0;"><br></p>"apps", "services", and "xdgdata-apps" are all writable by \
the user in this situation (a KDE install to $HOME), so checking the prefix doesn't \
change anything with regard to security, as the malicious website may say to "save me \
in `kde4-config --install apps`.<br> <p style="-qt-paragraph-type:empty; \
margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; \
-qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>The reason I didn't \
notice in my own setup is that I use sudo to install to make the kscreensaver_lock \
work.<br> <p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; \
margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; \
-qt-user-state:0;"><br></p>Regards,<br>
- Michael Pyne</p></body></html>
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic