On Tuesday 28 March 2006 11:27, Francois Gouget wrote: > Mike Hearn wrote: > [...] > > > To reiterate, the security problem here is that something which is a > > program can make itself look like a document by using a .desktop file. > > Right, that was the initial problem. But your proposals to use the +x > permission bit to fix it creates a lot more security issues that they > fix. Claiming they are unrelated is ridiculous. > > > The fact that +x bits have some other meaning for shell scripts and > > > > ELF files isn't related ..... > > The meaning of the +x bit is defined by the exec() Unix system call. It > does not matter to that system call whether the file is a shell script, > an ELF binary or a desktop file. You can say what you want, it *is* > related. > > When considering security issues you must always consider the whole > system, not just the one small aspect you are interested in. Failure to > do so results in opening more security holes than you plug.
I think it's a sane idea to require +x on .desktop files in order for a file browser or "Desktop" to execute the .desktop file. It shouldn't be too much of a problem to add a #!/usr/bin/xdg-open line to the format either, although it my take a while before applications actually start to add that. Cheers, Waldo -- Linux Client Architect - Channel Platform Solutions Group - Intel Corporation
pgp91AryLLvjt.pgp
Description: PGP signature
_______________________________________________ xdg mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/xdg
