Bug 767978 - remove/disable E: script-without-shebang /usr/share/applications/foo.desktop check
remove/disable E: script-without-shebang /usr/share/applications/foo.desktop ...
Product: Fedora
Classification: Fedora
Component: rpmlint (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Tom "spot" Callaway
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2011-12-15 07:58 EST by Rex Dieter
Modified: 2011-12-15 17:43 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-12-15 14:38:29 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Rex Dieter 2011-12-15 07:58:33 EST
Per a recent package review:
kdf.x86_64: E: script-without-shebang /usr/share/applications/kde4/kdf.desktop

xdg specs (or at least common practice and conventional wisdom) now strongly encourages .desktop files to ship with executable bits as an additional security measure.  For awhile now, at least all upstream core kde applications follow this practice and kdelibs enforces additional checks on .desktop files (in particular, those .desktop files found outside of usual search paths)

Given this, I'd recommend that rpmlint no longer issue warnings or errors pertaining to packages containing executable .desktop files
Comment 1 Tom "spot" Callaway 2011-12-15 10:09:09 EST
Does the xdg standard really say that .desktop files should be +x as a _security_ measure? What happens if you try to execute it? It has no interpreter!

Looking at the Desktop Entry Specification (http://standards.freedesktop.org/desktop-entry-spec/desktop-entry-spec-1.1.html), I can't see anything to back this up, nor can I figure out why it would be conventional wisdom or common practice to set the executable flag on a file that cannot execute.
Comment 2 Rex Dieter 2011-12-15 10:34:15 EST
It's not part of the spec, but is a common practice these days.

I'll see if I can dig up some mailing list references for some background.
Comment 3 Rex Dieter 2011-12-15 13:55:38 EST
here's the main thread I recall,

".desktop file security"
Comment 4 Tom "spot" Callaway 2011-12-15 14:10:08 EST
Hrm. It seems like a terrible idea, and a great way to try to exploit a system. While I'd prefer that this was standardized in the Desktop Entry Specification, it isn't explicitly forbidden. (Neither is wearing a .desktop file as pants, but I wouldn't recommend that either.)

The concept of taking a file format and making it executable when there is no reason to do so is completely flawed, IMHO.

But. I realize that the time for sanity in this discussion may have come and gone if it has been implemented in KDE already, so I'll just grumble and wave my cane of sanity at you from my front porch.
Comment 5 Ville Skyttä 2011-12-15 14:14:55 EST
(In reply to comment #3)
> http://lists.freedesktop.org/archives/xdg/2009-February/010209.html

That post lists three conditions, any of which is said to permit the launch.  Two of three (root ownership, installed in system dirs) are already true for packaged apps, so I don't see why adding the executable bit would do any good.
Comment 6 Rex Dieter 2011-12-15 14:30:13 EST
Sure, kde adds X unconditionally, for folks installing kde trees outside of system dirs.  I suppose it could be argued it should only do that conditionally in that case.
Comment 7 Tom "spot" Callaway 2011-12-15 14:38:29 EST
rpmlint-1.4-4.fc17 squelches the error on +x desktop files. If only it was so easy to squelch bad ideas on the internets. *sigh*
Comment 8 Ville Skyttä 2011-12-15 16:25:42 EST
(In reply to comment #6)
> Sure, kde adds X unconditionally, for folks installing kde trees outside of
> system dirs.  I suppose it could be argued it should only do that conditionally
> in that case.

...or if/as long as it doesn't, packagers (c|sh)ould just remove the x bits from where they're not needed.
Comment 9 Kevin Kofler 2011-12-15 17:43:32 EST
I think KDE considers the other 2 conditions just compatibility hacks and would like ALL .desktop files to be marked executable.

Note You need to log in before you can comment on or make changes to this bug.