D15718: Do not index the path if the path has no execute permissions.

James Smith noreply at phabricator.kde.org
Mon Sep 24 05:44:32 BST 2018


smithjd added a comment.


  In D15718#330864 <https://phabricator.kde.org/D15718#330864>, @ngraham wrote:
  
  > Making files executable that don't need to be executable is a bad security habit. What if the contents get replaced with something malicious? Suddenly that now-malicious file has execute permissions.
  
  
  Replacing a file's contents requires write permissions on the file. I have plenty of executable shell scripts that aren't an immediate security risk, though I suppose if someone gained write privileges over my home statistically speaking a shell script is (currently) the most likely choice to gut and replace with malicious code. If an attacker already has write permission over your home you have bigger problems than a forgotten set-executable file in it somewhere anyway. The patched state of that machine's software packages dictates how devastating that payload was to your administrator, meanwhile your home has probably been wiped.
  
  > 
  > 
  >  ---
  > 
  > Conceptually, you are proposing that the rest of the world adapt to our software, rather than the other way around. That's simply not practical. Even if this were a good idea, the world will never adapt to us. We must adapt to the world. Our software does not exist in a perfect state of total control over the environment it inhabits; it exists to facilitate busy people with messy lives as they work to accomplish their tasks with a minimum of hassle. That goal is not enhanced by breaking KDE Plasma's search tool for them unless they give all of their files execute permissions.
  > 
  > Sorry, no go. We need to find a better way.

REPOSITORY
  R293 Baloo

REVISION DETAIL
  https://phabricator.kde.org/D15718

To: smithjd, ngraham, #baloo
Cc: bruns, ngraham, kde-frameworks-devel, #baloo, ashaposhnikov, michaelh, astippich, spoorun, abrahams
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-frameworks-devel/attachments/20180924/60a5144f/attachment-0001.html>


More information about the Kde-frameworks-devel mailing list