.desktop security changes are committed
Michael Pyne
mpyne at purinchu.net
Sun Feb 22 22:23:04 GMT 2009
On Sunday 22 February 2009, Andras Mantia wrote:
> On Sunday 22 February 2009, Michael Pyne wrote:
> > Michael Jansen reports that autostart needs an exception too.
>
> Well, we agreed with David Faure that it is not a good idea to have
> there an exception, as that is a user writable folder and the malicious
> website might say "save me in the autostart folder". ;) And I don't see
> a need to make it an exemption, rather the systemsettings module should
> make it executable when copies the .desktop file in the autostart folder.
"apps", "services", and "xdgdata-apps" are all writable by the user in this
situation (a KDE install to $HOME), so checking the prefix doesn't change
anything with regard to security, as the malicious website may say to "save me
in `kde4-config --install apps`.
The reason I didn't notice in my own setup is that I use sudo to install to
make the kscreensaver_lock work.
Regards,
- Michael Pyne
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20090222/40134548/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20090222/40134548/attachment.sig>
More information about the kde-core-devel
mailing list