Bug 186894

Summary: Security checks before running .desktop Exec line
Product: [I don't know] kde Reporter: K.J. Petrie <kde.bugs>
Component: generalAssignee: Unassigned bugs <unassigned-bugs-null>
Status: RESOLVED FIXED    
Severity: wishlist CC: mpyne
Priority: NOR    
Version First Reported In: 3.5   
Target Milestone: ---   
Platform: unspecified   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:
Attachments: Patch to change handling of .desktop files
spec file to show install paths and post(un) scriptlets

Description K.J. Petrie 2009-03-11 21:13:11 UTC 
Version:            (using KDE 3.5.10)
OS:                Linux
Installed from:    Unlisted Binary Package

Currently, because Desktop Configuration files are considered not to be scripts, no check is made on the execute bit before running the Exec line, even though the effect is similar to a script. This even applies if the line is run by clicking on the file, which is the normal functionality these files provide. Unfortunately, this feature, combined with the ability of these files to display a different name and icon and thus appear as a different file type altogether, enables confidence tricks to be played on users if they can be persuaded to download a disguised file in the belief it is a document or image, and to click on them to open them. This provides a trojan attack vector to install malware in a user's account without their knowledge. Whilst it has security implications, the scenario is well-known and therefore little harm is done by mentioning it here.
I have developed a patch for kdelibs 3.5 which helps users to identify such files by checking the execute bit if the file is not (owned by root and outside the /home tree) or alternatively in the ~/.kde/ tree. If the execute bit is not set the file will open in kwrite (if available) instead of running its Exec line.
Thus those seeking to deceive would have to take more complex steps to disguise their work and maintain its functionality, and such steps are more likely to alert the user that all is not as it seems.
Desktop files copied from the above permitted areas will have the execute permission set automatically to preserve the drag-and-drop functionality.
This "More Secure Desktop" can be turned off if the user does not want it.
I will attach the patch and also an rpm spec file to show how the components can be installed.
Comment 1 K.J. Petrie 2009-03-11 21:14:55 UTC 
Created attachment 32034 [details]
Patch to change handling of .desktop files
Comment 2 K.J. Petrie 2009-03-11 21:20:40 UTC 
Created attachment 32035 [details]
spec file to show install paths and post(un) scriptlets

This is probably not ideal. I probably should add an INSTALL.MSD or some such file to the patch to explain how the icons, scripts, scriptlets and Desktop file should be used. However, for now I hope this will communicate that information, though I appreciate it's a lot to wade through.
Comment 3 K.J. Petrie 2009-10-31 17:12:50 UTC 
KDE 4 now flags the first use of .desktop files as potentially dangerous and warns the user, so this problem no longer arises.