Hello,

I had a forum post where I complained about KDE executing .exe files with wine [1]. Somebody also said it executes shell scripts as well (I didn't check that). To me this looks like a major security risk. IMHO everything that executes code from a file, needs to be confirmed before run. There could be a list maintained with regexpressions of alowed paths. Signing could also be used to trust an executable.

Now I'm going to stop bashing windows for being ignorant in the past and being so insecure. Or at least for being ignorant Considering how my previous post was ignored [1] I don't think KDE (and some other linux distro DEs and components) would have been different if it was popular like windows. Since some time I am not a KDE user any more (using only some programs from it) so I just by chance hit my old thread. But thought I do a last effort to bring the topic up. I couldn't post to brainstorm so posting here.

Have a nice day and sorry if I sound frustrated, this is because I really am. And I don't want to see linux in the same situation as windows some day.

[1] viewtopic.php?f=93&t=39879

This is a strange request - add a confirmation when something is opened.

For linux, .exe and .png files are the same - both are files that are opened by an associated application.

It would be quite fun if you got a "Are you sure you want to open desktop.png?" - because, security-wise, opening an image (or almost anything) is a risk because the file can be maliciously designed to take advantage of buffer overflows or similar issues in the underlying libraries.

KDE SC doesn't start automatically anything you didn't request to be started.

Your original post says it all really, opening konqueror in root mode AND _accidentally_ clicking on an exe file and then being frustrated that you did not get asked whether you actually wanted to open that file is a bit much by any standard, methinks.

There is only so much one can do against human error before it gets in the way. Just remember Vista with its continuous stream of "Are you sure?", "Are you absolutely sure?", "You really want to?", etc.

Also wondering whether you found an alternative to KDE which behaves as you stated.

ivan wrote:It would be quite fun if you got a "Are you sure you want to open desktop.png?"

Yeah, really hilarious

As far as I am aware, at least for shell scripts, they need to be marked as executable, otherwise KDE will open them in a text editor. Don't know if *.exe files get the same treatment.

If you don't want .exe files run without your or root's explicit permission you can do what I did, remove the file association so that there is no application associated with .exe's. You will then have to explicitly state what app you wish to use to open the file

Guys, you really miss the point. At the moment exe and png are the same for KDE. I tell you that this is wrong. Of cource only time will tell. And it has nothing to do with being root or not. If something screw my home dir it's almost no difference to me that root is safe.

Not all files are equal. Some carry just a minimal risk, like PNG. But some can do a lot of harm, like exe, sh, or whatever executable format. It's not about you can do this or that. I can make my system secure if I dedicate the time to do so. But I try to choose a desktop environment that saves my time and not one that I need to do basic stuff by myself. And still there are the majority of people that can't do that for themselves.

But it's your call. He who doesn't learn from the mistakes of the others, learns from his own mistakes.

Regards.

avalon wrote:Guys, you really miss the point. At the moment exe and png are the same for KDE. I tell you that this is wrong.

No wonder we are missing the point with statements like that I for one haven't got a clue what you are on about and slowly get the feeling that this is more about trolling than anything else.

Please state your point clearly and succinctly and remember that whatever DE/OS you use, there is always the 8th layer of the OSI model (and that includes each and every one of us - I should know )

toad wrote:No wonder we are missing the point with statements like that

The point really is that some files are not safe to just run/open. .exe is one of them. There might be others. I report this problem so somebody from KDE team can take on that. The rest of my messages was about answering arguments that it doesn matter, or that everybody should make his/her DE secure by him/herself.

toad wrote: I for one haven't got a clue what you are on about and slowly get the feeling that this is more about trolling than anything else.

Heh. No worries,I go back to my hole after this post.

toad wrote:Please state your point clearly and succinctly and remember that whatever DE/OS you use, there is always the 8th layer of the OSI model (and that includes each and every one of us - I should know )

Yes, that's right. I think that the best thing forward is to ask the security guys in the KDE project (I'm sure there are people in such a big project that deal with the security matters) what do they think about this topic. Perhaps forum is not the best place for reporting such type of issues...

I think that the biggest issue at hand is that there is no infrastructure widely used in linux distributions that would allow a good control of what is executed. Like signing of executables, permissions per application and so on. Selinux and other security frameworks have a long way to go until verything is integrated and user-friendly. The problem as a whole is too hard but there are some low hanging fruits like being more cautios with some content that carries a high risk of being harmful.

Cheers and bye.