D15718: Do not index the path if the path has no execute permissions.
James Smith
noreply at phabricator.kde.org
Mon Sep 24 05:44:32 BST 2018
smithjd added a comment.
In D15718#330864 <https://phabricator.kde.org/D15718#330864>, @ngraham wrote:
> Making files executable that don't need to be executable is a bad security habit. What if the contents get replaced with something malicious? Suddenly that now-malicious file has execute permissions.
Replacing a file's contents requires write permissions on the file. I have plenty of executable shell scripts that aren't an immediate security risk, though I suppose if someone gained write privileges over my home statistically speaking a shell script is (currently) the most likely choice to gut and replace with malicious code. If an attacker already has write permission over your home you have bigger problems than a forgotten set-executable file in it somewhere anyway. The patched state of that machine's software packages dictates how devastating that payload was to your administrator, meanwhile your home has probably been wiped.
>
>
> ---
>
> Conceptually, you are proposing that the rest of the world adapt to our software, rather than the other way around. That's simply not practical. Even if this were a good idea, the world will never adapt to us. We must adapt to the world. Our software does not exist in a perfect state of total control over the environment it inhabits; it exists to facilitate busy people with messy lives as they work to accomplish their tasks with a minimum of hassle. That goal is not enhanced by breaking KDE Plasma's search tool for them unless they give all of their files execute permissions.
>
> Sorry, no go. We need to find a better way.
REPOSITORY
R293 Baloo
REVISION DETAIL
https://phabricator.kde.org/D15718
To: smithjd, ngraham, #baloo
Cc: bruns, ngraham, kde-frameworks-devel, #baloo, ashaposhnikov, michaelh, astippich, spoorun, abrahams
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-frameworks-devel/attachments/20180924/60a5144f/attachment-0001.html>
More information about the Kde-frameworks-devel
mailing list