peace, I noticed quite a while ago that .desktop files as specified by freedesktop.org open a window into GNU/Linux for a whole range of viruses and trojans. I think that this has been discussed before. I see that the issue has not been resolved so I'd like to suggest a way to resolve it.
Conventionally files downloaded from the Internet cannot simply be "clicked" to run them under unix/GNU/Linux, the execute permission must be granted (or an installer used or archive extracted). I feel this "x-bit" is the single best protection available to the non-expert desktop user under Linux/UNIX, which prevents malware becoming common in *nix .desktop files however are able to execute arbitrary shell commands WITHOUT being "blessed" by the execute bit, just with a click. Also they are displayed differently from normal files, the .desktop extension and the filename are hidden, which compounds the problem. PLEASE LET'S FIX THIS BEFORE SOMEONE EXPLOITS IT! I don't think a rapidly-spreading virus could be implemented by this method, because the process is a little somewhat more complex than normal "virus vectors", however it is still an open-window for an attack, it could be used against a specific person or a by a general obnoxious website to remove all of a user's files, or install malware/spyware/adware. malware need not spread rapidly to be extremely harmful. The way to fix it: Change the standard so .desktop files must be executable, and should begin with a line like: #!/usr/bin/desktop-launch the desktop-launch script would simply run the Exec property of the .desktop file as ususal (or it might be a little more complex than that). KDE and Gnome etc. need not use the "desktop-launch" script when a user double-clicks on a .desktop file, they can continue to launch an application directly as they do now - but they MUST check that the .desktop file has the executable bit set! the #! line is only necessary so that if a user exec's the .desktop file in the normal way (e.g. from the shell) it does more or less the right thing, rather than running the .desktop file through the shell which might cause problems. We would need to coordinate with Gnome, KDE, GNU/Linux distributions and other freedesktop-compatible environments to "upgrade" existing .desktop files (add the #! line and chmod +x them). Custom .desktop files belonging to users must also be upgraded. This should of course be done interactively to avoid clobbering other files called ".desktop" This indeed does sound like an enormous amount of work (specifically due to, the large number of packages containing .desktop files). Perhaps initially .desktop files that are owned by "root" (and presumably packaged) might be executed in the old way, without the "x" bit. In that case, only a user's local desktop files would need to be upgraded to the new standard. Also a "confirm execute" dialogue might be used by Gnome and KDE for user-writable .desktop files, and it might chmod +x the file, something like what Windows XP is doing with downloaded .exe files these days. "do you really want to execute this, it might be a virus!" I feel very strongly that this "we can execute non-executable scripts" misfeature of .desktop files is a very important issue to resolve, so that we can keep the free desktops (almost) entirely free of malware as *nix desktop environments become more popular, please let me know what you think about this, and who would be likely to be able to implement such a change. (the politics, I mean, I expect that any hacker could implement the code-changes) If the webserver is working you can check out an example .desktop file on the web, at: https://sam.nipl.ath.cx/virus.desktop I've attached it and appended it to this email also. It would be fairly easy with firefox / js to set up a thing that would download this to a user's Desktop, with only a click "yes". For now, just click "save as", and save it on your desktop. Once the thing is downloaded, it could camouflage itself as any other application, hide it's filename etc. This one says "Virus" but looks like the terminal application. The file is non-toxic, it just runs "xmessage", but as I would hope you don't trust me with your filesystem, you might like to read it before you click it ;) sorry about the bogus https warnings on my website I want to know: 1. do you agree that this is a serious security problem? 2. do you think we should fix it? I'm happy to volunteer to do some of the work required to fix this problem. thanks for reading! take care Sam Watkins [EMAIL PROTECTED] a .desktop file: [Desktop Entry] Version=1.0 Encoding=UTF-8 Name=Virus Comment=not really a virus, just a demo Exec=xmessage "boo, you DON'T have a virus! at least not this time..." Icon=gnome-terminal.png Type=Application
[Desktop Entry] Version=1.0 Encoding=UTF-8 Name=Virus Comment=not really a virus, just a demo Exec=xmessage "boo, you DON'T have a virus! at least not this time..." Icon=gnome-terminal.png Type=Application
_______________________________________________ xdg mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/xdg
