Scary .desktop behaviour
Julien Olivier
julo at altern.org
Tue Jan 4 07:35:37 CST 2005
> > Attached is a fun example.
>
> I don't get the point, there is a million of way to launch a command,
> what's specific to the desktop files ?
As I understand it, .desktop files are the only ones that can be sent
attached in an email and executed right after being downloaded without
any manipulation (apart from right-clicking it). More over, as
the .desktop file appears in Nautilus as "GoodDocument.doc" instead of
"GoodDocument.doc.desktop", it is easy to make users believe that it is
*not* executable while it is.
In the case of bash scripts or binary executables, if they are attached
to an email, then downloaded locally, they can't be run without
*explicitely* running chmod +x.
IMHO, this problem is a critical security issue, even if it can only
affect the user's files (which are often the most important ones).
--
Julien Olivier <julo at altern.org>
More information about the ubuntu-devel
mailing list