2009/2/25 Scott Ritchie scott@open-vote.org:
Chris Robinson wrote:
On Tuesday 24 February 2009 6:07:08 pm Scott Ritchie wrote:
When I brought this up at the Ubuntu Developer Summit a while back, the security conscious there wanted to check an executable for the execute bit before launching it with Wine. Then, the user would be prompted if they wanted to run it, and if yes the execute bit would be set and the program launched.
Seems a bit too easy to me for this to be ineffective. It's been repeated often around here how people, especially Windows users, are conditioned to click "Yes" and not actually see or comprehend what they're clicking yes too ("I thought it was going to open it in notepad, not run it!"). IMHO, it would be better if they had to take the initiative to mark it +x, then run it again. That would prevent these kinds of surprises.
It would also make it completely unusable. Remember, all downloaded executables (even intentionally downloaded ones) will be -x by default. Do you really expect users to go right click->properties->permissions->allow execution? Or will they just conclude that it doesn't work.
Worse, you could actively irritate them - suppose they do double click and you DONT offer the ability to open it, but instead instruct them to go through that annoying procedure.
And what happens if they intentionally download a Linux-native executable or script? It won't run unless it's marked +x or passed as an argument to the appropriate interpreter. Wine/Windows apps shouldn't be different.
It's admirable to think of new users and say "how much will they get?", but you're holding them back if you don't educate them with things like this. If it's the *correct* way to do it, which I believe it is, it's *incorrect* to assume that new users are incapable of learning how to +x their apps when they're downloaded.
This check would be skipped if you clicked a link on the start menu (since you obviously meant to launch a program then).
Not necessarily. Along with the .desktop trojan, the blog I read also showed how to override system menu entries (by placing a replacement in the local folder which will override the system one). So the link you clicked on may not be what you intended..
But in order to do that a malicious script has to already be running! Such a system is already owned.
What he's talking about here, if I understand correctly, is a .desktop file that can be clicked on in a web browser, and executed by the system without warning. It's an entry-point for malware.