[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Re: .desktop security changes are committed
From:       David Faure <faure () kde ! org>
Date:       2009-02-23 10:05:34
Message-ID: 200902231105.35374.faure () kde ! org
[Download RAW message or body]

On Sunday 22 February 2009, Michael Pyne wrote:
> On Sunday 22 February 2009, Andras Mantia wrote:
> > On Sunday 22 February 2009, Michael Pyne wrote:
> > > Michael Jansen reports that autostart needs an exception too.
> >
> > Well, we agreed with David Faure that it is not a good idea to have
> > there an exception, as that is a user writable folder and the malicious
> > website might say "save me in the autostart folder". ;)  And I don't see
> > a need to make it an exemption, rather the systemsettings module should
> > make it executable when copies the .desktop file in the autostart folder.
> 
> "apps", "services", and "xdgdata-apps" are all writable by the user in this 
> situation (a KDE install to $HOME)

No, they are _always_ writable by the user. xdgdata-apps includes ~/.local/share/applications.
If your revised patch warns when starting desktop files from there, then we need
to change KOpenWithDialog to +x desktop files too, when checking "remember this
application" and it creates a desktop file...
I was assuming we didn't want to do that though, and that we accepted ~/.local/share/applications/
in the whitelist. OK, I agree that Autostart is rather similar (it's just a bit less hidden),
so I'm ok with whitelisting both. The trojan case will most likely not be saved in either
one of these dirs, if the user thinks it's not a desktop file in the first place.

> , so checking the prefix doesn't change  
> anything with regard to security, as the malicious website may say to "save me 
> in `kde4-config --install apps`.

Well, that would seem utterly suspicious too :-)   (yes just like Autostart, so
I'm changing my mind about that one).
A website that asks you to save a document into a very specific place should
come up as suspicious to anyone; if it doesn't to someone (for lack of understanding),
then an extra warning isn't going to help anyway...

> On that note it would be nice to have an official public API in KStandardDirs 
> for figuring out where KDE was installed to.

No. It's not there, on purpose. Because there is actually no such notion. Distributions
can install KDE into /usr and have config in /etc and have other things in other dirs.
This is exactly why KStandardDirs exists: to add a layer between apps and "the kde
install dir" in order to support such things.

-- 
David Faure, faure@kde.org, sponsored by Qt Software @ Nokia to work on KDE,
Konqueror (http://www.konqueror.org), and KOffice (http://www.koffice.org).
[prev in list] [next in list] [prev in thread] [next in thread]