Richard, You're confusing things. You can not execute .java files, that's source code. It must be compiled into byte code (.class files). Executable .jar archive will contain one or more .class files. For the purpose of this bug, the byte code can be thought of as machine code.
There is no difference between a Python script or Perl script, or any other script file that can execute arbitrary commands, java byte code, or a binary executable: If the execute permission is not set, neither one of them is permitted to execute. Jan. On Sun, Jan 25, 2009 at 22:03, Richard Seguin <ubuntu-b...@transubuntu.ca> wrote: > What exactly executes? If a .java file is marked as executable and I > type in the name at a CLI prompt it will not execute, neither will a > .jar file. I understand that nautilus executes the file when it's > clicked on, but what's the difference between a python script being ran > when clicked on, or even a wine launcher. I am going to mark this as low > priority and will check with the bug-control team on this one. > > > ** Changed in: nautilus (Ubuntu) > Importance: Medium => Low > > -- > Opening a Java Archive (.JAR) file executes it regardless of the "executable" > permission bit > https://bugs.launchpad.net/bugs/313439 > You received this bug notification because you are a direct subscriber > of the bug. > > Status in "nautilus" source package in Ubuntu: Confirmed > > Bug description: > Binary package hint: nautilus > > 1) The release of Ubuntu you are using, via 'lsb_release -rd' or System -> > About Ubuntu. > > Description: Ubuntu 8.04.1 > Release: 8.04 > > 2) The version of the package you are using, via 'apt-cache policy > packagename' or by checking in Synaptic. > > N/A > > 3) What you expected to happen > > Let's have a Java Archive (.JAR) file on the Desktop (default Gnome GUI). > The archive has the execute permission bits cleared (chmod 640). When the > archive icon is double-clicked, the archive contents should be displayed in > the Archive Manager. Under no circumstances code contained in the archive > should be executed. Opening files should be safe, regardless of their > contents. > > > 4) What happened instead > > The archive is nevertheless executed (presumably, java -jar <archive name> is > called). > > > 5) Security implication > > User can be tricked into executing arbitrary code by opening an > innocuously-looking file. This is similar to the MS-Word macro virus > attacks, or a Vim modeline attacks. > > 6) Example scenario > > Firefox downloads to Desktop by default. User can specify some file types to > be downloaded automatically. It is reasonable to expect such files would be > later opened by double-clicking on their Desktop icons. The file type does > not (necessarily) correspond to the extension; the file name, including the > extension, is fully under the control of the attacker. Firefox will save > the file with the file name specified. When user double-clicks the archive > they just downloaded, they expect the contents to be displayed. Instead, the > code supplied by the attacker will be executed. > > 7) Workaround > > It is possible to change this default behaviour by changing the file > association: right click > Open With > select Archive Manager as the default > app to open with. However, this is not based on permissions, so one has to > right click > Open With > java when one wants to indeed execute the > application then. > > ProblemType: Bug > Architecture: amd64 > Date: Sat Jan 3 10:12:45 2009 > DistroRelease: Ubuntu 8.04 > Package: firefox-3.0 3.0.5+nobinonly-0ubuntu0.8.04.1 > PackageArchitecture: amd64 > ProcEnviron: > > PATH=/home/username/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games > LANG=en_GB.UTF-8 > SHELL=/bin/bash > SourcePackage: firefox-3.0 > Uname: Linux 2.6.24-22-generic x86_64 > -- Opening a Java Archive (.JAR) file executes it regardless of the "executable" permission bit https://bugs.launchpad.net/bugs/313439 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to nautilus in ubuntu. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
