In previous discussion surrounding .desktop files it was considered a useful step to increase security (slightly). So I wanted to add it here right from the start.
Well, a few people did, but I never saw any rationale for that beyond "it might stop people clicking on things they downloaded until they take an extra step".
But this situation is different: users won't be downloading auto start files. They'll be installed by some other program, or be on mountable media. Requiring the +x bit here is inconsistent with the current .desktop entry spec, and doesn't add any security as the user isn't involved anyway.
That's a good point. Should a user be able to execute shell code located on such a home dir? Is ~/.profile parsed in such a setup?
You can always execute code of whatever form if it's in your home dir, for instance by piping the contents of a script to the interpreter or by using the ld.so trick.
They will need to understand the notion of "executable", no? How else would a user be able to start an application from the media without auto-start?
Some filing systems make everything executable, and others make nothing executable (eg, CD-ROMs exported over a network). In other cases CDs that are copied on Windows machines may lose extra metadata etc. I don't think we can assume that even if it starts +x it'll remain that way.
thanks -mike _______________________________________________ xdg mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/xdg
