[Bug 186894] New: Security checks before running .desktop Exec line

K.J. Petrie kde.bugs at instabook.com
Wed Mar 11 20:13:13 GMT 2009 

https://bugs.kde.org/show_bug.cgi?id=186894

           Summary: Security checks before running .desktop Exec line
           Product: kde
           Version: 3.5
          Platform: unspecified
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: wishlist
          Priority: NOR
         Component: general
        AssignedTo: unassigned-bugs at kde.org
        ReportedBy: kde.bugs at instabook.com


Version:            (using KDE 3.5.10)
OS:                Linux
Installed from:    Unlisted Binary Package

Currently, because Desktop Configuration files are considered not to be
scripts, no check is made on the execute bit before running the Exec line, even
though the effect is similar to a script. This even applies if the line is run
by clicking on the file, which is the normal functionality these files provide.
Unfortunately, this feature, combined with the ability of these files to
display a different name and icon and thus appear as a different file type
altogether, enables confidence tricks to be played on users if they can be
persuaded to download a disguised file in the belief it is a document or image,
and to click on them to open them. This provides a trojan attack vector to
install malware in a user's account without their knowledge. Whilst it has
security implications, the scenario is well-known and therefore little harm is
done by mentioning it here.
I have developed a patch for kdelibs 3.5 which helps users to identify such
files by checking the execute bit if the file is not (owned by root and outside
the /home tree) or alternatively in the ~/.kde/ tree. If the execute bit is not
set the file will open in kwrite (if available) instead of running its Exec
line.
Thus those seeking to deceive would have to take more complex steps to disguise
their work and maintain its functionality, and such steps are more likely to
alert the user that all is not as it seems.
Desktop files copied from the above permitted areas will have the execute
permission set automatically to preserve the drag-and-drop functionality.
This "More Secure Desktop" can be turned off if the user does not want it.
I will attach the patch and also an rpm spec file to show how the components
can be installed.

-- 
Configure bugmail: https://bugs.kde.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the Unassigned-bugs mailing list