requiring .desktop files to be executable ?
David Faure
faure at kde.org
Mon Feb 23 14:24:08 GMT 2009
On Monday 23 February 2009, Roland Harnau wrote:
> 2009/2/22, Michael Pyne <mpyne at purinchu.net>:
> > On Sunday 22 February 2009, Roland Harnau wrote:
>
> >> Perhaps I'm a bit late, but I think the whole idea is rather dubious.
> >> A .desktop file is executable if and only if it contains a (vaild)
> >> Exec key, and according to the Desktop Entry Specification this key is
> >> not required (e.g. .desktop files for Plasmoids do not contain them).
> >> They simply don't fit in the classical UNIX permission scheme.
> >
> > The subset of .desktop files with a valid Exec= key on the other hand
> > certainly should fit within that scheme however.
>
> Your commit addresses the direct security threat, but the question
> remains in what way should the spec be extended. Requiring .desktop
> files to have executable bit and shebang line dependent on an
> optional key will for sure cause some inconsinstencies.
It's not about the optional key Exec, it's about Type=Application desktop files.
Ok that key is optional too, but Application is the default value. There are only
a few kinds of desktop files, this security thing is about the Application kind.
The plasma desktop files you are talking about are Type=Service desktop files,
so those are completely unrelated to this (they certainly never end up in
klauncher or KRun anyway).
I don't see what the problem is.
> Are there valid use cases for executable .desktop files in non-standard
> locations at all?
Yes, of course: .desktop files on your desktop for starting apps.
You know, the way Windows users start all their apps :-)
--
David Faure, faure at kde.org, sponsored by Qt Software @ Nokia to work on KDE,
Konqueror (http://www.konqueror.org), and KOffice (http://www.koffice.org).
More information about the kde-core-devel
mailing list