Permission of a .desktop file

Need some clarification about the permissions of .desktop files. I can see all the .desktop files in /usr/share/applications/ owned by root have permission,

-rw-r--r--

also examples.desktop at $HOME owned by user has the same permission. All of those run properly.

But when I am going to create a custom .desktop file having the same permission it is throwing the following error message,

Untrusted application launcher
The application launcher "myapp.desktop" has not been marked as trusted. If you do not know the source of this file, launching it may be unsafe.

But adding the execution permission is allowing it to run without any issue.

Q: Why custom .desktop files need to have +x permissions to run or how some .desktop files can run without execution permission? Is it possible to run a custom .desktop file without execution permission?


Solution 1:

This is from Ubuntu's security policy:

Execute-Permission Bit Required

  • Applications, including desktops and shells, must not run executable code from files when they are both:

    • lacking the executable bit
    • located in a user's home directory or temporary directory.
  • This includes *.desktop, *.jar, and *.exe files.

  • Nothing may provide a workaround to run them anyway automatically ...

So yes, according to this policy, it should be possible to run a .desktop file without the executable bit set. According to this policy you would only have to move that file out from the /home/ and /tmp/ directories and then you can launch it without the executable bit set. This is in theory/according to the policy.

In practice nautilus will allow you to launch .desktop files without the executable bit set from the XDG_DATA_DIR directories and from the ~/.gnome2/ directory. You can check the XDG_DATA_DIRS with the echo $XDG_DATA_DIRS command. So if you put your .desktop file in in an XDG_DATA_DIR or in ~/.gnome2/ you will be able to launch it from nautilus without the executable bit set. At least on 12.04 it works like that. How is this in line with the aforementioned policy I do not know.


For the examples.desktop mentioned in the question: That .desktop file is a different kind of .desktop file. It is a "Link", it doesn't want to execute anything, it basically works as a symlink. These kinds of .desktop files work everywhere.

Solution 2:

You can create and place the .desktop file in ~/.local/share/applications - then it will appear in the dash/menu/whatever.

It will need to look something like this:

[Desktop Entry]
Name=Files
Comment=Launch Nemo File manager
Keywords=folder;manager;explore;disk;filesystem;
Exec=nemo %U
Icon=system-file-manager
Terminal=false
Type=Application
StartupNotify=true
OnlyShowIn=GNOME;Unity;
Categories=GNOME;GTK;Utility;Core;
NoDisplay=false

This is because the files in ~/.local/share/applications work the same as the files in /usr/share/applications - both of which on most systems work fine without executable permissions, also when owned by a user other than root. This however does not always seem to be the case.

To actually get the file to be clicked on and then open, it will need executable permissions.