Hello, Last week, an old security issue in desktop environments went through a widely public discussion (including on slashdot)[1][2]. As I said, this issue is not new[3], but there seem to be no action on the upstream to fix it.
After taking an extensive look in all the history of this discussion, I've oppened a new bug report in nautilus upstream[4], in addition to the two bug reports that were already openned in Debian[5][6]. As I made myself very clear in the bug reports, I don't think there is any good excuse to execute '.desktop' files without them having the x bit set. For those who didn't follow the discussion, this can make a fishing attack very much easy in both Gnome and KDE, since iceweasel downloads files directly to the user Desktop. The only really sane solution is behave like any *nix like Operating System and consider .desktop files to be executables, and thus require the x bit to execute them. Since .desktop is really the desktop variant for a .sh. In order to do that, a few other things would be required: 1) An "interpreter" for .desktop files, that can be used in the shbang of that files. [This is already done, look below] 2) Modify the packages providing .desktop files in order to both add the shbang and deploy the files with the x bit set. [This is the next step] 3) Modify nautilus so that .desktop files are not handled specially. They would be executed if they were executables or be shown in some way (properties dialog) if not. 4) Modify nautilus DnD code so that permissions should be preserved when dragging local .desktop files in mount points listed in /etc/fstab and owned by root or the user himself. Otherwise, umask must be enforced, meaning "strict by default, relax where needed". 5) Provide a "one-shot" migration process at the first time the user runs the new nautilus, so the user can review any file owned by himself in his Desktop or menu. This would only happen once, so this wouldn't become a "standard procedure" to the user. 6) Do the same in KDE and other Desktop Environments that interpret .desktop files. As I consider this issue to be very much important, I already took the time to work item 1[7]. The xdg-utils package already contains the "xdg-launch" utility in its git repo and should be uploaded soon, which leads us to the step 2, and once that is completed all the other items can happen, but item 2 is a blocker for everything else. I considered mass-filling bugs about this issue, and maybe I will at some point, but for start, I thought it would be nice to get this issue discussed here. P.S.: It has been used as an excuse the fact that extracting an archive file could result in .desktop files with the +x bit in the user home directory. I think that is a separated issue, and have filed a bug in file-roller upstream to make "preserve permissions" off by default.[8] daniel [1] http://www.geekzone.co.nz/foobar/6229 [2] http://www.geekzone.co.nz/foobar/6236 [3] http://lwn.net/Articles/178409/ [4] http://bugzilla.gnome.org/show_bug.cgi?id=572203 [5] http://bugs.debian.org/515104 [6] http://bugs.debian.org/515106 [7] http://bugs.debian.org/516352 [8] http://bugzilla.gnome.org/show_bug.cgi?id=572318 -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
