Desktop file names and its Name field
Desktop files have a "Name" field in its data that usually represents its display name, as gio info usually have too display name and file name separate instances. Desktop files need specific names as its file name, since they need to match what the app-id is, etc.
We had a CVE on Nautilus where this is exploitable. To mitigate it, we added a file metadata "metadata::trusted" that can only be accessed by gvfs since its located in its database. This worked for the time being, but it's inconvenient to deployments where the sysadmin has to put desktop files on the desktop and it's not entirely clear how that needs to be done, specially system wise.
Problem & requirements
Talking with security researchers, the main problems are:
- Be misleading to the user. Icon and name of the desktop file shouldn't be misleading.
And the requirements and limitations are:
- Executable bit to prevent launch is useless, so we cannot rely on it. It can come set from a downloaded file inside a zip file. Autodecompression makes this worse.
- Simply asking a question with a dialog to immediately run the desktop file exec is not enough, since we know dialogs are usually skipped. This is a Ubuntu requirement. (we might go with downstream patches instead if we ended up with different requirements, but feels worthy to cater the minimum common policy if possible)
- If we provide a mechanism for allowing launch, we need to provide a mechanism to revoke that permission too.
Use cases
We have different targets here:
- Regular user downloads a trusted and valid program
- Sysadmin sets some by default programs in the desktop
- Distributions put some launcher on the desktop
The most common one and we probably should target is the first one.
The second one is a bit of a pity, sysadmins usually have all set up already and are not aware of these kind of changes. However, it might be a trade off to not cater them
The third one is probably the easiest one, since it can be done in different ways. For example, a custom widget in the desktop, so it doesn't need to be a desktop file or such.
Possible Solutions
Now that we are a shell extension, we can use much more diverse solutions to fix the being misleading problem. Some ideas are:
- Emblem
- Overlay color
- Overlay effect
- Overlay icon styling
However, I don't have many ideas about the launching bit, and this also affect non-desktop files. However, non-desktop files are not as misleading, and that seemed to be enough for security researchers to be okay with that.
In general we can come up with ideas here and I will discuss them with security researchers to provide some feedback.