On Tue, 2006-04-04 at 21:38 +0100, Dave Cridland wrote: > On Tue Apr 4 20:03:14 2006, Mark Seaborn wrote: > > A user might receive a tar file as an attachment, open it > > (presumably > > causing it to be unpacked to a temporary directory), double-click > > the > > .desktop file -- and thereby give an untrusted program access to > > their > > whole user account without warning. > > a) They could do that with a binary, too, or a shell script. This is > not special to .desktop files, whether +x or not.
Exactly. So what's the point? Why bother making a crap desktop file that can't really do all that much anyway, when I can just send you an actual binary that /will/ get run when you double-click it in the archiver application or file manager? Better yet, why don't I just write a win32 binary, which does some nasty stuff on Linux, and let you open it with Wine, without requiring it to be +x, since you aren't running it directly from the shell, as you're double-clicking it in the file manager? > b) Double-clicking on a .desktop file in file-roller opens it in > gedit. (Whether it's +x or not, as it happens, because I checked). But everyone doesn't open tar archives in file-roller and use Evolution to read their mail and open attachments from. How does this behave in KDE? XFCE? Thunderbird? Various other things which the user may receive tar files through? GNOME isn't the only thing we need to care about with a solution here. > c) Does mandating +x make things harder, or easier, for an attacker? It makes it indifferent for the most part. If the user is going to listen to the attacker and run the file anyway, what's to stop them from just saying "you have to run chmod +x $filename in a terminal to use this thing". This is what the RealPlayer Linux install page said for a number of years, when the installer was offered as a .bin that you run. Plenty of things shipped as .shar files have said this too. It's not like it's exactly uncommon in the world of unix, to require setting the +x bit, before you can run it. I don't think extending that requirement to desktop files is going to solve anything. It's going to make it more of a pain for developers of valid software, than it is for attackers. -- dobey _______________________________________________ xdg mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/xdg
