Launchpad has imported 7 comments from the remote bug at https://bugzilla.xfce.org/show_bug.cgi?id=9934.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2013-03-18T12:32:18+00:00 Guido Berhoerster wrote: With Thunar 1.6 (bug #5012) there is a big security warning when trying to run .desktop files which do not have the executable bit set. This is currently not the case for .desktop files created by a user via exo- desktop-item-edit leading to reports like https://bugzilla.novell.com/show_bug.cgi?id=801326. While exo-desktop-item-edit could be changed to set the executable bit by default, there does not seem to be a consensus among different DEs about this behavior so it is still problematic for .desktop files created by another DE, another editor or some installation script. I wonder if there isn't better solution to this or if we can at least get some common way of handling this among DEs? Reply at: https://bugs.launchpad.net/ubuntu/+source/thunar/+bug/1327791/comments/0 ------------------------------------------------------------------------ On 2014-07-20T14:13:54+00:00 Eric Koegel wrote: *** Bug 10273 has been marked as a duplicate of this bug. *** Reply at: https://bugs.launchpad.net/ubuntu/+source/thunar/+bug/1327791/comments/2 ------------------------------------------------------------------------ On 2014-07-26T22:56:30+00:00 Michael Orlitzky wrote: Created attachment 5561 Patch to make desktop files owner-executable Unfortunately I don't think we can distinguish between a desktop file that some other tool created and one that was downloaded as, say, an email attachment. I figure the best we'll be able to do is make sure the user can execute the desktop files that he has created. If distros are installing them noexec, we can bug them. If XFCE's install scripts are doing it, we can fix that. If we made non-executable files run arbitrary code, the cure would be worse than the disease. This (very rough) patch will make new files created with exo-desktop- item-edit owner-executable. There's a case in an "if" statement that deals with remote files: /* for remote writes */ ... right below the place where I change the permissions. I have no idea what to do with it! This patch only affects exo, but Jannis/Nick should see it here. Reply at: https://bugs.launchpad.net/ubuntu/+source/thunar/+bug/1327791/comments/3 ------------------------------------------------------------------------ On 2014-08-05T08:35:07+00:00 Yves-Alexis Perez wrote: See also bug #7554 Reply at: https://bugs.launchpad.net/ubuntu/+source/thunar/+bug/1327791/comments/4 ------------------------------------------------------------------------ On 2014-08-05T09:36:09+00:00 Guido Berhoerster wrote: (In reply to Yves-Alexis Perez from comment #3) > See also bug #7554 I find that behavior also quite irritating and even dangerous when users unintentially execute a script rather than opening it in an editor (even though it does not have security implications like desktop files). Executable desktop files can (even if less likely) also be unintentionally executed and then interpreted by the shell. Maybe desktop files and executables could be handled in a unified way and always require user interaction in form of a dialog that asks whether to open in an editor or to execute it. I think that's what Nautilus does (at least it did a while back). Reply at: https://bugs.launchpad.net/ubuntu/+source/thunar/+bug/1327791/comments/5 ------------------------------------------------------------------------ On 2014-08-05T09:38:56+00:00 Yves-Alexis Perez wrote: (In reply to Guido Berhoerster from comment #4) > (In reply to Yves-Alexis Perez from comment #3) > > See also bug #7554 > > I find that behavior also quite irritating and even dangerous when users > unintentially execute a script rather than opening it in an editor (even > though it does not have security implications like desktop files). What? No security implications? > Executable desktop files can (even if less likely) also be unintentionally > executed and then interpreted by the shell. Sure. > Maybe desktop files and executables could be handled in a unified way and > always require user interaction in form of a dialog that asks whether to > open in an editor or to execute it. I guess so. Reply at: https://bugs.launchpad.net/ubuntu/+source/thunar/+bug/1327791/comments/6 ------------------------------------------------------------------------ On 2014-08-05T09:44:54+00:00 Guido Berhoerster wrote: (In reply to Yves-Alexis Perez from comment #5) > (In reply to Guido Berhoerster from comment #4) > > (In reply to Yves-Alexis Perez from comment #3) > > > See also bug #7554 > > > > I find that behavior also quite irritating and even dangerous when users > > unintentially execute a script rather than opening it in an editor (even > > though it does not have security implications like desktop files). > > What? No security implications? At least no through the same attack vector as the desktop files, browsers don't save files with the executable bit, so running a malicious script/executable would at least require an additional step such as extracting a tarball or similar. Reply at: https://bugs.launchpad.net/ubuntu/+source/thunar/+bug/1327791/comments/7 ** Changed in: thunar Status: Unknown => Confirmed ** Changed in: thunar Importance: Unknown => Medium ** Bug watch added: Novell/SUSE Bugzilla #801326 https://bugzilla.novell.com/show_bug.cgi?id=801326 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1327791 Title: Security warning about just created Xubuntu desktop shortcut To manage notifications about this bug go to: https://bugs.launchpad.net/thunar/+bug/1327791/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
