FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 02-24-2009, 06:49 PM
Emilio Pozuelo Monfort
 
Default Security Issue of .desktop files

Daniel Ruoso wrote:
> Em Ter, 2009-02-24 *s 19:35 +0100, Josselin Mouette escreveu:
>> Le mardi 24 février 2009 * 15:21 -0300, Daniel Ruoso a écrit :
>>> Last week, an old security issue in desktop environments went through a
>>> widely public discussion (including on slashdot)[1][2]. As I said, this
>>> issue is not new[3], but there seem to be no action on the upstream to
>>> fix it.
>> On the contrary, there is action upstream to fix it, and Nautilus 2.26
>> will only launch “safe” .desktop files.
>
> and what are "safe" .desktop files?

See this mail and its followups:

http://mail.gnome.org/archives/desktop-devel-list/2009-February/msg00132.html

Cheers,
Emilio
 
Old 02-24-2009, 07:32 PM
Daniel Ruoso
 
Default Security Issue of .desktop files

Em Ter, 2009-02-24 s 20:27 +0100, Yves-Alexis Perez escreveu:
> By who? The Browser? Fix the browser?

Please take a look at all the discussion in the bug reports, I don't
think we need to repeat all the argumentation here.

daniel


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-24-2009, 07:36 PM
Daniel Ruoso
 
Default Security Issue of .desktop files

Em Ter, 2009-02-24 *s 20:49 +0100, Emilio Pozuelo Monfort escreveu:
> Daniel Ruoso wrote:
> > Em Ter, 2009-02-24 *s 19:35 +0100, Josselin Mouette escreveu:
> >> Le mardi 24 février 2009 * 15:21 -0300, Daniel Ruoso a écrit :
> >>> Last week, an old security issue in desktop environments went through a
> >>> widely public discussion (including on slashdot)[1][2]. As I said, this
> >>> issue is not new[3], but there seem to be no action on the upstream to
> >>> fix it.
> >> On the contrary, there is action upstream to fix it, and Nautilus 2.26
> >> will only launch “safe” .desktop files.
> > and what are "safe" .desktop files?
> See this mail and its followups:
> http://mail.gnome.org/archives/desktop-devel-list/2009-February/msg00132.html

I'm glad to see that, it's a shame I haven't found that thread. So, for
the record, *nautilus* is solving the .desktop files issue by:

1) Special casing files that are system-wide installed.
2) Requiring .desktop files to have the x bit set otherwise.

I'm pretty happy with that solution (although I would prefer not having
the "launch anyway"/"mark as trusted" box, but rather simply show the
properties dialog for a non-executable-non-system-wide .desktop file
(but I think that should go as an suggestion to upstream)).

I also would suggest that as a migration plan only, where we do turn
all .desktop files into executables in the future, so we have a
consistent environment.

Also, as "mark as trusted" is making the file executable, are you
planning to add a shbang to it?

daniel


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-24-2009, 07:43 PM
Josselin Mouette
 
Default Security Issue of .desktop files

Le mardi 24 fvrier 2009 17:36 -0300, Daniel Ruoso a crit :
> I'm pretty happy with that solution (although I would prefer not having
> the "launch anyway"/"mark as trusted" box, but rather simply show the
> properties dialog for a non-executable-non-system-wide .desktop file
> (but I think that should go as an suggestion to upstream)).

How about discussing this with upstream instead of here? I already told
them that allowing to launch it anyway is a bad idea.

> I also would suggest that as a migration plan only, where we do turn
> all .desktop files into executables in the future, so we have a
> consistent environment.

What is the purpose of having system .desktop files executable?

> Also, as "mark as trusted" is making the file executable, are you
> planning to add a shbang to it?

No.

--
.'`. Debian 5.0 "Lenny" has been released!
: :' :
`. `' Last night, Darth Vader came down from planet Vulcan and told
`- me that if you don't install Lenny, he'd melt your brain.
 
Old 02-24-2009, 08:08 PM
Daniel Ruoso
 
Default Security Issue of .desktop files

Em Ter, 2009-02-24 s 21:43 +0100, Josselin Mouette escreveu:
> > I also would suggest that as a migration plan only, where we do turn
> > all .desktop files into executables in the future, so we have a
> > consistent environment.
> What is the purpose of having system .desktop files executable?

Allowing that in the future no special handling is needed for that, just
a single rule: "Is it an executable? execute!". No special handling for
launching .desktop files ...

daniel


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-24-2009, 08:33 PM
"Michael S. Gilbert"
 
Default Security Issue of .desktop files

On Tue, 24 Feb 2009 17:32:57 -0300, Daniel Ruoso wrote:
> > By who? The Browser? Fix the browser?
>
> Please take a look at all the discussion in the bug reports, I don't
> think we need to repeat all the argumentation here.

I think Yves is saying that the launcher issue is (and always was)
correctly handled in the XFCE desktop. This is a GNOME/KDE-specific
problem. If the browser (iceweasel, epiphany, etc) handles the
launchers via its own means, then there still may be a problem, but
that would certainly not be the fault of the desktop environment.

If there are indeed vectors for attacks via browsers, then bugs should
certainly be reported against their BTS's. But first, please determine
whether the vector exists.

Best wishes,
Mike


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-24-2009, 08:35 PM
Daniel Ruoso
 
Default Security Issue of .desktop files

Em Ter, 2009-02-24 s 16:33 -0500, Michael S. Gilbert escreveu:
> I think Yves is saying that the launcher issue is (and always was)
> correctly handled in the XFCE desktop. This is a GNOME/KDE-specific
> problem.

So if a .desktop file appears in the user's Desktop without the x bit
set and the user clicks it, it won't get executed...

daniel


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-24-2009, 08:48 PM
Armin Berres
 
Default Security Issue of .desktop files

On Tue, 24 Feb 09 17:36, Daniel Ruoso wrote:
> Em Ter, 2009-02-24 *s 20:49 +0100, Emilio Pozuelo Monfort escreveu:
> > Daniel Ruoso wrote:
> > > Em Ter, 2009-02-24 *s 19:35 +0100, Josselin Mouette escreveu:
> > >> Le mardi 24 février 2009 * 15:21 -0300, Daniel Ruoso a écrit :
> > >>> Last week, an old security issue in desktop environments went through a
> > >>> widely public discussion (including on slashdot)[1][2]. As I said, this
> > >>> issue is not new[3], but there seem to be no action on the upstream to
> > >>> fix it.
> > >> On the contrary, there is action upstream to fix it, and Nautilus 2.26
> > >> will only launch “safe” .desktop files.
> > > and what are "safe" .desktop files?
> > See this mail and its followups:
> > http://mail.gnome.org/archives/desktop-devel-list/2009-February/msg00132.html
>
> I'm glad to see that, it's a shame I haven't found that thread. So, for
> the record, *nautilus* is solving the .desktop files issue by:
>
> 1) Special casing files that are system-wide installed.
> 2) Requiring .desktop files to have the x bit set otherwise.
>
> I'm pretty happy with that solution (although I would prefer not having
> the "launch anyway"/"mark as trusted" box, but rather simply show the
> properties dialog for a non-executable-non-system-wide .desktop file
> (but I think that should go as an suggestion to upstream)).

FWIW the same has been implemented in KDE. There are some recent threads
in kde-core-devel if you are interested in further information.

Greetings,
Armin


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-24-2009, 08:53 PM
Yves-Alexis Perez
 
Default Security Issue of .desktop files

On mar, 2009-02-24 at 18:35 -0300, Daniel Ruoso wrote:
> So if a .desktop file appears in the user's Desktop without the x bit
> set and the user clicks it, it won't get executed..

Not exactly. The “safe” .desktop file was in the link I pasted on
another mail in the thread:

/* check if the file tries to look like a regular document (i.e.
* a display name of 'file.png'), maybe a virus or other malware.
*/
fake_mime_info = thunar_vfs_mime_database_get_info_for_name (_thunar_vfs_mime_database, str);
if (fake_mime_info != _thunar_vfs_mime_application_octet_stream && fake_mime_info != info->mime_info)
{
/* release the previous mime info */
thunar_vfs_mime_info_unref (info->mime_info);

/* set the MIME type of the file to 'x-thunar/suspected-malware' to indicate that
* it's not safe to trust the file content and execute it or otherwise operate on it.
*/
info->mime_info = thunar_vfs_mime_database_get_info (_thunar_vfs_mime_database, "x-thunar/suspected-malware");

/* reset the executable flag */
info->flags &= ~THUNAR_VFS_FILE_FLAGS_EXECUTABLE;

/* reset the custom icon */
g_free (info->custom_icon);
info->custom_icon = NULL;

/* reset the name str, so we display the real file name */
name = NULL;
}

Basically, when the .desktop tries to trick the user, it won't be
executed.

Cheers,
--
Yves-Alexis
 
Old 02-24-2009, 09:09 PM
Daniel Ruoso
 
Default Security Issue of .desktop files

Em Ter, 2009-02-24 *s 22:53 +0100, Yves-Alexis Perez escreveu:
> On mar, 2009-02-24 at 18:35 -0300, Daniel Ruoso wrote:
> > So if a .desktop file appears in the user's Desktop without the x bit
> > set and the user clicks it, it won't get executed..
> Not exactly. The “safe” .desktop file was in the link I pasted on
> another mail in the thread:

So if the launcher use a plain name like "Nude Shots", it will get
executed?

daniel


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 07:12 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org