Offline/Remotely changing Trust of .desktop file

(Alf Gaida) #21

See next step: do it over ssh

(Pedram Pourang) #22

Yes, I’ll do it too (was very busy with coding; hence the test with VirtualBox). Theoretically, it shouldn’t make a difference but @Arffeh’s test tells otherwise.

(Pedram Pourang) #23

This is how I see it:

First, it’s true that Lubuntu wanted me to change “trust” and that was a meaningless suggestion because it was based on the idea that “trust” was something that all file managers could recognize automatically (impossible).

To me, this has nothing to do with “trust”; it’s about setting any metadata without logging in as the owning user. Or, at least, I chose to see it that way :wink: Why? I explain:

Metadata aren’t written to files but are user-specific: they “accompany” their corresponding files for every user in the way he/she determines. For example, you can add an emblem (small icon) to a file and pcmanfm-qt will show it. Emblems are metadata. However, they can’t be seen by another user.

Now, to me, it’s like a small self-inconsistency in GLib/GVFS if metadata could be set by a privileged user. My simple test showed that it was possible.

(Alf Gaida) #24

Was not able to do so :slight_smile:

More verbose:

  • one need a running dbus-session - it should be the user session
  • i was not able to take over/capture a dbus user session - i guess that’s a good thing
  • so - one has to set gio metadata as the target user, i don’t see a problem in it

If i make a fault in my conclusions please point me to it. I will have the problem setting the trust for some Desktop Icons in the Siduction live iso as well - don’t know right now when i will do, but i guess as a one shot job at the system start.

(Pedram Pourang) #25

Yes but that can also be done by a privileged user with su -l -g USER USER -s '/bin/bash' -c 'dbus-run-session -- gio set /home/USER/Desktop/example.desktop -t string metadata::trust "true"'.

(Arffeh) #26

tsujan, I am glad we are on the same page.

Here are my steps for reproducing it:


install lubuntu 19.04:

username: admin

password: yes

Default partition (whole disk)


boot the system

login: admin

sudo apt-get update && sudo apt-get install openssh-server

ssh in as admin

escalate to root

create user: agent (home created, password assigned, etc)

Log in once as agent to initialize environment (Desktop folders, gvfs cache, lxqt panels, pulseaudio, etc. [is there a way of remotely simulating a GUI login to trigger all these files to be built?])

Log back out.

via the ssh session:
cp /usr/share/applications/firefox.desktop /home/agent/Desktop/firefox.desktop

chmod +rx /home/agent/Desktop/firefox.desktop

su -l -g agent agent -s ‘/bin/bash’ -c ‘dbus-run-session – gio set /home/agent/Desktop/firefox.desktop -t string metadata::trust “true”’

recieve the usual fanfare:

root@agent-pc-test:/home/admin# su -l -g agent agent -s '/bin/bash' -c 'dbus-run-session -- gio set /home/agent/Desktop/firefox.desktop -t string metadata::trust "true"'
dbus-daemon[3972]: [session uid=1001 pid=3972] Activating service name='org.gtk.vfs.Daemon' requested by ':1.0' (uid=1001 pid=3974 comm="gio set /home/agent/Desktop/firefox.desktop -t str" label="unconfined")
dbus-daemon[3972]: [session uid=1001 pid=3972] Successfully activated service 'org.gtk.vfs.Daemon'
dbus-daemon[3972]: [session uid=1001 pid=3972] Activating service name='org.gtk.vfs.Metadata' requested by ':1.0' (uid=1001 pid=3974 comm="gio set /home/agent/Desktop/firefox.desktop -t str" label="unconfined")
dbus-daemon[3972]: [session uid=1001 pid=3972] Successfully activated service 'org.gtk.vfs.Metadata'
A connection to the bus can't be made
** (process:3983): WARNING **: 12:37:09.851: Failed to connect to the D-BUS daemon: Could not connect: Connection refused (g-io-error-quark, 39)

Log in, verify the metadata has not been assigned (both visible on the desktop, and by browsing with pcmanfm and F5ing to be sure.

If the above seems sane for checking these conditions, I could proceed to download and install debian/manjaro/arch/opensuse/etc and do the above on all. Who would have thought making a desktop shortcut would be such a rabbit hole :wink:

Security Sidenote: One amusing thing is, I’ve been dumping other .desktop entries into /home/agent/.config/autostart/ , which happily get executed on login, no trust is ever checked. If the trust metadata check is to prevent application execution, there are easier places to bypass it (as shown, just place it in autostart :slight_smile: ).

(Pedram Pourang) #27

/home/agent/.config/autostart/ has nothing to do with it. Lack of “trust” is just a sign, to which libfm-qt reacts (when the user clicks the file, a prompt dialog is shown).

To be super clear:

You could repeat the experiment with:

gio set FILE -t stringv metadata::emblems EMBLEM_NAME

and Nautilus/Thunar/Nemo… and get the same result. This isn’t about “trust”.

Anyhow, if it cannot be set, that’s good (because metadata are personal), although it wouldn’t be so bad if it could.

(Shrinivas Kumbhar) #28

well i dont like the concept of trust and that exclamation marks on .desktop files. because of that im thinking of getting rid of pcmanfm-qt and use something else for providing desktop

(Pedram Pourang) #29

Search for and read the history behind it.

(Arffeh) #30

Yes sorry, I went off on various tangents.

I understand that metadata is personal, and that is encompasses multiple facets in the way other programs operate (eg I use emblems for other things too).

I now see the point you’re making regarding the filemanager.

(Pedram Pourang) #31

I said that to @librewish (“search for…”) :wink:

(Alf Gaida) #32

@librewish - it’s up to you. Like it or don’t like it, we will not care. What we do care about is if someone (rightfully) write a CVS for nearly all desktop environments because of no feedback when executing a custom desktop item. Hmm - gnome solved it meanwhile otherwise, they banned desktop icons completely :D.

(Pedram Pourang) #33

gnome solved it meanwhile otherwise, they banned desktop icons completely :D.

Yes, gnome solves problems with the power of minimalism very efficiently. Systray has a problem? Remove it altogether! Desktop items are hard to handle? Get rid of them! Trash has issues in some locations? Who needs Trash?!

As for “trust” and “!”:

(1) It isn’t an “exclamation mark” but an icon in the set.

(2) It can’t be a problem unless the user doesn’t know how to right click (too much of gnome?!), in which case, the problem wouldn’t be in it.

(3) We can’t and don’t develop LXQt based on likes and dislikes.

(Walter Lapchynski) #34

You know, you just forget. tl;dr s/trust/trusted

It wasn’t meaningless. It’s just a non-standard thing that GNOME has a tendency for. As such, Ubuntu has adopted it as a standard. As a flavor of Lubuntu, we’re forced to follow suit.

It is what it is and I don’t really care, but let’s call a spade a spade. :slight_smile: