Blocking execution of non-exec things

Kees Cook kees at
Tue Jan 19 15:25:20 GMT 2010

On Tue, Jan 19, 2010 at 11:38:54AM +0100, Martin Pitt wrote:
> Kees Cook [2010-01-12 10:19 -0800]:
> > As part of implementing the "Execute-Permission Bit Required" policy[1], I
> > need to make changes to a few MIME handlers and to the nautilus .desktop
> > file handler.
> > 
> > The main issue is that of the error message to produce, and I'm hoping to
> > get some input for that from the Desktop team.
> I actually find the current error message text quite good. Keeping it
> would also mean to not break all the existing translations.
> How about we just drop the "Start anyway" and "Mark as trustworthy"
> (translated from German) buttons and replace it with a "Explain..."
> button which pops up a message box with further text, or opens a web
> browser with a wiki page?

Sure, that sounds good.  For people upgrading from Hardy, I'm thinking we
need to preserve the Start/Mark buttons when the .desktop has a ctime
(marking a .desktop as executable doesn't change mtime) below a certain
date; perhaps the release date of Karmic?

For the Wiki, I've built:

Currently the mime-support patch points there, but "cautious-launcher"
(for MIME handlers) needs to be translatable.


Kees Cook
Ubuntu Security Team

More information about the ubuntu-desktop mailing list