On Mon, 2006-02-27 at 20:03 +0100, Francois Gouget wrote: > So your plan is to have ~/.config/autostart be locked down such that all > of the following commands fail? > > cp foo.desktop ~/.config/autostart > cat foo.desktop >~/.config/autostart/foo.desktop > rm ~/.config/autostart/foo.desktop > rm -rf ~/.config
Not necessarily. Security contexts change on exec according to pre-defined rules. So, you can say "+rwx to ~/.config/autostart in unconfined context" and also "-rwx to ~/.config/autostart in desktop-application context". Because you can control domain transitions, this is OK because bash can transition to desktop-application (which has fewer privs) when you type "gimp" but programs in the desktop-application context cannot launch an unconfined shell themselves. > Frankly I would not want to use a system where standard commands such as > cp, rm and cat are crippled in such a way. Though if the shell gives me > a way to locally turn this feature off for all child processes it may be ok. It doesn't even have to be a shell feature. It can be done automatically, because the security system knows the difference between "write to ~/.config/autostart/foo.desktop" from AmazingApp 2002 and "write to ~/.config/autostart/foo.desktop" from a shell launched from your window manager. > Anyway, if going through a register-autostart tool is to be made > mandatory, it should at least provide the following functionality: > * add an entry > Example: register-autostart --add foo.desktop > * remove an entry > Example: register-autostart --del foo.desktop Yep. > * get a list of the entries and return their full path so an > application can read them > Example: register-autostart --list > /home/user/.config/autostart/foo.desktop > /home/user/.config/autostart/bar.desktop What's the use case for a standard desktop application reading the auto-start list? For special cases like Wine it can preserve its own list of autostart items it registered. I don't think it'd hurt but it's best to be conservative with privileges. thanks -mike _______________________________________________ xdg mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/xdg
