Syntax validation for .desktop files
Executable bit in .desktop files
.desktop files in /usr/share/applications/ should have consistent executable bits.
As of 2017-06-16 many ebuilds (mostly KDE) create executable .desktop files (bug #621966).
Look for executable .desktop files on the system with:
find /usr/share/applications/ -executable -type f
Please report any violations upstream.
Executable bit on Ubuntu systems
The Ubuntu Security Policy makes use of executable bits:
Applications, including desktops and shells, must not run executable code from files when they are both: lacking the executable bit located in a user's home directory or temporary directory. The GNOME or KDE MIME type handlers must not circumvent this principle. This includes *.desktop, *.jar, and *.exe files. Look for .desktop files with MimeType= and Exec= lines that do not use "cautious-launcher"
This does not apply to software which is installed via Gentoo ebuilds. Software should not ship a .desktop file with executable bit. The user can set the bit on demand where it is needed.
Ideas / Todo
- we could check for the x bit in https://gitweb.gentoo.org/proj/portage.git/tree/pym/portage/util/_desktop_entry.py
- In the past there were discussions about requiring them to be executable: https://commit-digest.org/issues/2009-02-08/
- 2017-06-18 Jonas Stein (Jstein) asked on the freedesktop mailing list about the .desktop file.
- KDE: "Note: Since KDE 4.3, there are more restrictions on authorized desktop files to prevent users from inadvertently running trojan desktop files. Your application launchers should have the executable bit set to prevent issues." source: kde.org
- Xfce: please see bug #465740 about thunar behavior