The distinction between exec/non-exec bits is pretty irrelevant until sandboxing is fully deployed, to be honest. We cannot both provide security *and* a good UX for locally installed apps and .desktop files on the Desktop for now, so I'm tempted to go with good UX and revisit the decision later.
Some pseudo-code: 1a. Make a safe-list of directories with all of PATH, /usr/local/share/applications, /usr/share/applications, ~/.local/share/applications/, ~/Desktop 1b. Remove XDG_DOWNLOADS_DIR from the safe-list (to keep users who download to Desktop a bit safer) 2a. Whenever a bin/sh/desktop file is launched, retrieve location 2b. If location in safe-list, goto Execute (3) 2c. Else if exec-bit not set, goto Warning (4) 2d. Else if xfconf-key "script-launch-behaviour" set to Execute, goto Execute (3) 2d. Else if xfconf-key "script-launch-behaviour" set to Edit, goto Edit (6) 2e. Else if xfconf-key "script-launch-behaviour" set to Ask, goto ValidateExecute (5) 2f. Goto Warning (4) if the code branch ever reaches that point (secure programming, caters for future mistakes when refactoring) 3a. If script/bin, exec with a startup notification 3b. Else forward desktop file to utility that already handles it properly 4a. Warning dialog pops up, "**You are about to run a script(sh)/application(bin+desktop) of unknown origin.**" "It could be used to steal your data or break your computer. Only proceed if you trust the source of this file." 4b. "Help" button to Thunar doc (7) 4c. "Keep me safe" button that cancels -> make it explicit this is the safe option 4d. "Edit script/.desktop file/binary" button, see (6) 4e. "Run anyway" button that runs the file 5a. Info dialog pops up "**File XXX is a script/application**" "Thunar protects you from accidental script/application executions. You can change change this behaviour in <settings>." 5b. "Help" button to Thunar doc (7) 5c. "Cancel" 5d. "Edit script/.desktop file/binary" button, see (6) 5e. "Run" button 6a. This is both the logic to decide if we are able to provide an editor and to implement Edit, because I'm not sure how xdg-open handles scripts since they don't have a MIME Handler 6b. For script/desktop files, search for text/plain and text/xml handlers, for binaries application/octet-stream handlers 6c. Display "Edit" buttons only when a handler is found 6d. For "script-launch-behaviour" = Edit, when no handler is found, launch xdg-open to present the default app selection dialog so the user knows Thunar did its job 7a. Add a doc page to Thunar doc on the implemented behaviour 7b. Explain what warning protects users from, that users should ensure they trust sources of unknown bins and should be careful with pseudo/anonymous sources, should feel free to ask for help to community if unsure, recommend preferring packaged apps as they can be verified by the community 7c. Explain safe-list disables security warning 7d. Explain exec-bit disables security warning 7e. Explain settings keys and provide UI walkthrough to change settings Please, your input on: - Should "ValidateExecute" be the default for script/bin/desktop with exec-bit outside the safe-list? I argue that yes because it avoids accidental executions. - I would discuss a xfconf key to enable the "Edit" button in the warning, as novice users are unlikely to know how to edit a script and advanced users know how to change their settings. Ideally we need usage data to know if many users want to edit their scripts and if we're gonna piss those users off. A disabled option allows distros to adapt to their userbase, though. - Verifying compatible apps could be done with https://developer.gnome.org/gio/stable/GAppInfo.html or "xdg-mime query default" (bad, scripting) - "Don't ask in the future" types of options are usually bad. They provide immediate rewards but then users don't know how to restore behaviour, whilst gettings users into the settings in the first place teaches them where to revert the options Ping me if something's poorly justified/controversial and I'll comment below. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1327791 Title: Security warning about just created Xubuntu desktop shortcut To manage notifications about this bug go to: https://bugs.launchpad.net/thunar/+bug/1327791/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
