KDE and the executable bit

Marc Espie espie at nerim.net
Mon Jan 28 12:46:23 GMT 2008


On Mon, Jan 28, 2008 at 02:23:32PM +0200, Andras Mantia wrote:
> On Monday 28 January 2008, Marc Espie wrote:
> > Your average user gets a .jpg file, he doesn't want it to execute
> > just because it has an x bit...

> Let me know how the average user gets a jpg file with the x bit...

You are having your security backwards.

Most attack scenarios involve quite a few intermediate steps.
Blocking them only requires that you remove one intermediate step.

You just need to focus about the actual issue. Assume your average user
gets a file that looks like a jpg (or some other MIME-type), and that
has the executable type. If you execute that blindly, then you will
be part of some attacks.

Executing `surprising' files is a bad idea, as windows has proved times

> And again, what if the average user gets a compiled file, and .sh file 
> which does rm -rf $HOME ? 

This is less surprising.  At least, compiled files without any other
MIME-Types don't masquerade as anything else...

At some point, there's probably sense into not blindly executing shell
scripts... after all, everyone filters out .pif files by this point....




More information about the kde-core-devel mailing list