The advantage of .desktop files without executable bit set

desktopfilespermissionsSecurityx11

The freedesktop organization defines the standard for .desktop files. Unfortunately it defines not the permissions of the file (see freedesktop mailinglist) and software is distributed with

a) executable .desktop files
b) non executable .desktop files
c) mixed a) and b) in one software package.

This is not very satisfying for Linux distributors, who aim to provide a consistent system. I want to use the broad audience of sx, to find out

what advantage has a .desktop file without execution bit? Is there any reason for not having all .desktop files executable if the filesystem alows it?

Are there known security problems? Are there programs which have difficulties with executable .desktop files?

Best Answer

One obvious reason a .desktop has not necessarily the executable bit set is these files were not intended to be executable in the first place. A .desktop file contains metadata the tell the desktop environment how to associate programs to file types but was never designed to be executed itself.

However, as a .desktop file indirectly tell the graphic environment what to execute, it has an indirect capacity to launch whatever program is defined in it, opening the door to exploits. To avoid malicious .desktop files to be responsible to the launch of hostile or unwanted programs, KDE and gnome developers introduced a custom hack that somewhat deviates the intended Unix file execution permission purpose to add a security layer. With this new layer, only .desktop files with the executable bit set are taken into account by the desktop environment.

Just turning a non executable file like a .desktop one to an executable one would be a questionable practice because it introduces a risk. Non binary executable files with no shebang are executed by a shell (be it bash or sh or whatever). Asking the shell to execute a file which is not a shell script has unpredictable results.

To avoid that issue, a shebang needs to be present in the .desktop files and should point to the right command designed to handle them, xdg-open, like for example Thunderbird does here:

#!/usr/bin/env xdg-open
[Desktop Entry]
Version=1.0
Name=Thunderbird
GenericName=Email
Comment=Send and Receive Email
...

In this case, executing the .desktop file will do whatever xdg-open (and your Desktop Environment) believe is the right thing to do, possibly just opening the file with a browser or a text editor which might not be what you expect.

Related Solutions

Under what scenarios would I want to set a SUID bit

Setuid and setgid (and setcap where it exists) are the only ways to elevate privileges. Other than through this mechanism, a process can relinquish privileges, but never gain them. Therefore you would not be able to do anything that requires additional privileges.

For example, the programs su and sudo need to be able to run commands as any user. Therefore they need to run as root, no matter which user called them.

Another example is ping. TCP and UDP sockets are accessible to any user, because these protocols have a notion of ports, and a process can take control of a port (which is called binding it), so the kernel knows where to send the packets. ICMP has no such notion, so only programs running as root (or with the appropriate capability) are allowed to request that ICMP packets are dispatched to them. In order for any user to be able to run ping, the ping program needs to have an additional privilege, so it's setuid root (or setcap).

For an example of group privileges, consider a game that stores local high scores in a file. Since only actual high scores achieved by users should be stored in the score file, the score file must not be writable by players. Only the game program must be allowed to write to the score file. So the game program is made setgid games, and the score file is writable by the group games but not by players.

There is an alternative approach to elevating permissions, which is to start programs that require additional privileges from a privileged launcher program. When a user wants to perform a task that requires additional privileges, he runs a front-end program which uses some form of inter-process communication to perform the privileged action. This works well for some use cases such as ping (one ping program to parse options and report progress, and a ping-backend service that sends and receives packets), but not for other use cases such as the game high score file.

Permissions CIFS – Why Files in SMBFS Share Created with Executable Bit Set

NFS was invented in the Unix world and so understands traditional Unix permissions out of the box. (The ACL of modern unix systems are another matter, but recent implementations of NFS should cope with them.)

Samba was invented in the IBM/Microsoft PC world, to exchange files with systems that had no permissions beyond read-only/read-write. It is now native to Windows. By default, Samba does not transmit Unix permissions. Depending on the configuration, either all files are marked executable (which is annoying) or all files (except directories) are marked non-executable (which is annoying).

There are various extensions to the Samba/CIFS protocol that make it more suited for Unix use. Try enabling Unix extensions in the server configuration:

[global]
unix extensions = yes

Best Answer

Related Solutions

Under what scenarios would I want to set a SUID bit

Permissions CIFS – Why Files in SMBFS Share Created with Executable Bit Set

Related Question