Trusting .desktop files
Martin Gräßlin
mgraesslin at kde.org
Sat Feb 11 07:24:11 UTC 2017
Am 2017-02-10 19:56, schrieb Fabian Vogt:
> Hi,
>
> The reddit post "How to easily trick $FILE_MANAGER users to execute
> arbitrary code"
> (https://www.reddit.com/r/linux/comments/5r6va0) spawned a discussion
> about .desktop files.
Thanks for bringing up this important topic! (Although I get more and
more annoyed how bug reporting moves to reddit :-P)
> What I'm proposing instead is to keep a list of trusted Exec= values
> and ask the user for confirmation
> everytime a .desktop file with an unknown Exec= gets opened.
> Advantages:
>
> - (Minor, does not usually happen) Changing Exec= revokes the
> trustedness.
> - Copying .desktop files just works. Currently DnD'd .desktop files
> from /usr/share/applications/
> onto the desktop are untrusted by default.
> - The prompt shown when opening an untrusted file specifically shows
> only the Exec= value.
> So it's also the Exec= value the user trusts and not the .desktop
> file.
> - Cannot be faked by archives.
>
> As Exec= can also contain relative paths, the working directory needs
> to be accounted for as well.
>
> Thoughts, suggestions?
What I don't like in general is that this is all happening as $user.
Thus any malicious program running as $user can also just change the
list of trusted Exec= values.
So my suggestion is: let's use polkit.
The list of trusted .desktop files must be root owned and per user.
Everytime a user asks for executing a not known (or changed) desktop
file, it goes through polkit. To detect changes of the desktop file I
would suggest to store the shasum of the desktop file in addition. This
would prevent malicious programs to just change the desktop file.
What do you think? Sensible? Too much?
Cheers
Martin
More information about the Kde-frameworks-devel
mailing list