CentOS - Apr 2019 - "Untrusted application launcher (desktop launchers)"

At Sun, 28 Apr 2019 18:53:21 +0100 CentOS mailing list <centos at
centos.org> wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Sun, 2019-04-28 at 12:11 -0400, Robert Heller wrote:
> > I am having this problem on Ubuntu 18.04 -- I manage a batch of
desktop
> > machines with some convience desktop launchers, which gnome3 insists
are
> > "untrusted". With some general websearching reveals that
this is a *GNome3*
> > so-called "security" issue
> > (https://gitlab.gnome.org/GNOME/nautilus/commit/1630f5348). I found a
thread
> > on the CentOS Forums (I don't have an account there), where
another sysadmin
> > is strugling with this issue:
> > 
> >
https://www.centos.org/forums/viewtopic.php?f=47&t=65864&start=10
> > 
> > If anyone has come up with a script that can be dropped into 
> > ~/.config/autostart/ to "fix" this "feature" of
gnome3 I would be interested
> > in it.
> > 
> > 
> 
> Hi,
> 
> Just chmod +x the desktop files.
That is NOT the problem...
> 
> That or teach the users how to do things correctly.
> 
Oh, yeah, you really think I am going to get very far telling *non-techies* to:

1) Open up a terminal (right-click on the desktop and select "Open
Terminal")
2) Type at the shell prompt (huh? what is a "shell prompt")

   /usr/local/bin/arduino &
   
OR
   gnucash &
   
OR

   scratch &
   
These happen to be the three desktop shortcuts I am providing.  Yes, the last 
two can be found by searching through all available applications, if they 
know what to look for.  It is so much easier to say: click on the light 
blue-green infinity sign for Arduino, click on the pile of money for GnuCash, 
or click on the scratch cat for scratch.
> Regards
> 
> Phil
> 
> - -- 
> *** If this is a mailing list, I am subscribed, no need to CC me.***
> 
> Playing the game for the games sake.
> 
> Twitter: kathenasorg
> IRC: kathenas
> Web: https://kathenas.org
> Github: https://github.com/kathenas
> GitLab: https://gitlab.com/kathenas
> 
> GPG: A0C3 4C6A AC2B B8F4 F1E5 EDF4 333F 60DC B0B9 BB77
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
> 
> iQIcBAEBAgAGBQJcxeiRAAoJEDM/YNywubt3A+AP/RvYJ2Qr1ugBldJyvFnqSD5c
> p3+dJq26dKGyrY0DqMXC4S7tG1MwEFEbq6OdT0UAHQD0UdvFF6CxbiNwxt6uSg4H
> 14qtDPTT+TtcoSQbmIiLNfwMaSD+TFcIxBSHUkmmvzcpeJ1xft1fjuirpJpz5yLO
> v7oTJkvpu38DY6Rb9ukoXEpctHxQlC+1eoK+PWMEoLCKski47hfGkBg2Ej0JM1De
> ViEMRYfleYYm+zom6F+bjR0QNDbODnZPPicQ0hWuxUF0i7CShKTXFIjLHEMGiyOU
> 0wAZvUiOrQ1n19hce3+/ELMU597extXf73rFnEDW71pdbXVPweAZAATSuApgUPCb
> TAdG3YIhjqBcqUDiMvjyySYQsPn0Y5NYAU/v3eSsW8tz8MuwmQBzkNSao8qtYAp+
> eD0WtEjwPQiTHqyAz8M8eSBBT7GlyCRh+tdgIjeJk45zDqIGIqKLuzS3lxT6Ijl9
> vFrgvyB6PeGjXWGsB1NfVFdXMKTxIZ2JR7xeMI1xnyRwTU0c7toHXZ8BmxdM1BIy
> nkEiyyOfUY7UVgXLsJAJ8+Zo0htp8Vz0JNHbhjlJZNuDN+oOOzqcZ4J5bdWE1N89
> vBA4f+cpq5zm/ij8q545E3Twm3WCJpK7A73BhLAFb/i5qsuLcU2wS/o0b1YLVx52
> BSsTJv2ofFxKl61dr9fn
> =8sxI
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
> 
>                                      
-- 
Robert Heller             -- 978-544-6933
Deepwoods Software        -- Custom Software Services
http://www.deepsoft.com/  -- Linux Administration Services
heller at deepsoft.com       -- Webhosting Services

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, 2019-04-28 at 14:25 -0400, Robert Heller wrote:
> At Sun, 28 Apr 2019 18:53:21 +0100 CentOS mailing list <centos at
centos.org>
> wrote:
> 
> > 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > On Sun, 2019-04-28 at 12:11 -0400, Robert Heller wrote:
> > > I am having this problem on Ubuntu 18.04 -- I manage a batch of
desktop
> > > machines with some convience desktop launchers, which gnome3
insists are
> > > "untrusted". With some general websearching reveals
that this is a
> > > *GNome3*
> > > so-called "security" issue
> > > (https://gitlab.gnome.org/GNOME/nautilus/commit/1630f5348). I
found a
> > > thread
> > > on the CentOS Forums (I don't have an account there), where
another
> > > sysadmin
> > > is strugling with this issue:
> > > 
> > >
https://www.centos.org/forums/viewtopic.php?f=47&t=65864&start=10
> > > 
> > > If anyone has come up with a script that can be dropped into 
> > > ~/.config/autostart/ to "fix" this "feature"
of gnome3 I would be
> > > interested 
> > > in it.
> > > 
> > > 
> > 
> > Hi,
> > 
> > Just chmod +x the desktop files.
> 
> That is NOT the problem...
> 
> > 
> > That or teach the users how to do things correctly.
> > 
> 
> Oh, yeah, you really think I am going to get very far telling *non-techies*
> to:
> 
> 1) Open up a terminal (right-click on the desktop and select "Open
Terminal")
> 2) Type at the shell prompt (huh? what is a "shell prompt")
> 
>    /usr/local/bin/arduino &
>    
> OR
>    gnucash &
>    
> OR
> 
>    scratch &
>    
> These happen to be the three desktop shortcuts I am providing.  Yes, the
last
> two can be found by searching through all available applications, if they 
> know what to look for.  It is so much easier to say: click on the light 
> blue-green infinity sign for Arduino, click on the pile of money for
GnuCash,
> or click on the scratch cat for scratch.
> 
> 
Hi,

1. Do not jump to caps and shout at me. Not polite and will not get you
anywhere.

Ok, go back to a debian based list and learn how to bundle the applications
yourself. This way you can supply all the required desktop files. If you cannot
do this, get another job.

I would test this on debian stable as I was the author of the backported
security patch. However, I am not inclined to do so.

Regards

Phil

- -- 
*** If this is a mailing list, I am subscribed, no need to CC me.***

Playing the game for the games sake.

Twitter: kathenasorg
IRC: kathenas
Web: https://kathenas.org
Github: https://github.com/kathenas
GitLab: https://gitlab.com/kathenas

GPG: A0C3 4C6A AC2B B8F4 F1E5 EDF4 333F 60DC B0B9 BB77
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBAgAGBQJcxfQgAAoJEDM/YNywubt3gSYQAIypXswVX59FBVlbz5evtF49
mJRqF6gm4xiHg1SFCt0IWDxFf+fNPkQOfmfE47dVqwWRIezsqNHzmFzog3oyZg2h
UzsOg/JsSFTjxqIg+9YLR848+cRCFxuJEmkegeBApGQj+Rx3l3nfAWANQCLL2j9l
iLU8cwH7oFBr9F4stkkL9ypbaRtnqgL1Mz0f+gXuhbcUkRHDCcIoKJTa8jPG9Kpx
Knl5Z0JAY7P07y72iZ/E1ZWvh/pkaeOljJwMwR51V5vgqZifrVPZzNL3SWxXJEQY
BnWYyanEBR0ZuLGjd2Nd6JgrKFGhx6Q1BfqgWuGQGGQ3bRN2LfjKUfoKnGhW9NWj
yWFvKIX1hkVaTBK1Iww8oesp1zb89CbzRY0ga34x0uI9nvXbVo6eNpou6QiinipQ
T2ioVVuaEHALit7htm8TP88L4Y3pcCuaTF2e9KSp9RE4XjLmeOH/pcgDnRw3K8o3
84pdVVvjQuQClofoqFCCzdaMat03ZAKjVDFHiCDAFpmkbxJhvcal7rEAHr9GP/yU
rmDevz9BDKrW1HtPQtLy7Ws2WP+LjkaXPEh5W/k81am8SM1FDB0sSZ/t0XDIXVAl
f3xmZnTlwXl6jwoH94uYIj3oAoDeh2Q8AA6pu3tYhrUMcih9heEHQAq5D6fV3IFK
pBef5IfjuzltOMP+XgMz
=AfW7
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, 2019-04-28 at 19:42 +0100, Phil Wyett wrote:
> On Sun, 2019-04-28 at 14:25 -0400, Robert Heller wrote:
> > At Sun, 28 Apr 2019 18:53:21 +0100 CentOS mailing list <centos at
centos.org>
> > wrote:
> > 
> > > 
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > > 
> > > On Sun, 2019-04-28 at 12:11 -0400, Robert Heller wrote:
> > > > I am having this problem on Ubuntu 18.04 -- I manage a batch
of desktop
> > > > machines with some convience desktop launchers, which gnome3
insists are
> > > > "untrusted". With some general websearching
reveals that this is a
> > > > *GNome3*
> > > > so-called "security" issue
> > > > (https://gitlab.gnome.org/GNOME/nautilus/commit/1630f5348).
I found a
> > > > thread
> > > > on the CentOS Forums (I don't have an account there),
where another
> > > > sysadmin
> > > > is strugling with this issue:
> > > > 
> > > >
https://www.centos.org/forums/viewtopic.php?f=47&t=65864&start=10
> > > > 
> > > > If anyone has come up with a script that can be dropped into
> > > > ~/.config/autostart/ to "fix" this
"feature" of gnome3 I would be
> > > > interested 
> > > > in it.
> > > > 
> > > > 
> > > 
> > > Hi,
> > > 
> > > Just chmod +x the desktop files.
> > 
> > That is NOT the problem...
> > 
> > > 
> > > That or teach the users how to do things correctly.
> > > 
> > 
> > Oh, yeah, you really think I am going to get very far telling
*non-techies*
> > to:
> > 
> > 1) Open up a terminal (right-click on the desktop and select
"Open
> > Terminal")
> > 2) Type at the shell prompt (huh? what is a "shell prompt")
> > 
> >    /usr/local/bin/arduino &
> >    
> > OR
> >    gnucash &
> >    
> > OR
> > 
> >    scratch &
> >    
> > These happen to be the three desktop shortcuts I am providing.  Yes,
the
> > last 
> > two can be found by searching through all available applications, if
they
> > know what to look for.  It is so much easier to say: click on the
light
> > blue-green infinity sign for Arduino, click on the pile of money for
> > GnuCash, 
> > or click on the scratch cat for scratch.
> > 
> > 
> 
> Hi,
> 
> 1. Do not jump to caps and shout at me. Not polite and will not get you
> anywhere.
> 
> Ok, go back to a debian based list and learn how to bundle the applications
> yourself. This way you can supply all the required desktop files. If you
> cannot
> do this, get another job.
> 
> I would test this on debian stable as I was the author of the backported
> security patch. However, I am not inclined to do so.
> 
> Regards
> 
> Phil
> 
> 
Hi,

You could always try gio setting the metadata for trust. A little google gave
this thread that may help.

Regards

Phil

- -- 
*** If this is a mailing list, I am subscribed, no need to CC me.***

Playing the game for the games sake.

Twitter: kathenasorg
IRC: kathenas
Web: https://kathenas.org
Github: https://github.com/kathenas
GitLab: https://gitlab.com/kathenas

GPG: A0C3 4C6A AC2B B8F4 F1E5 EDF4 333F 60DC B0B9 BB77
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBAgAGBQJcxfW6AAoJEDM/YNywubt3bboP/ijpc5uKTQqKxSL2l67IyflK
Jcz5DNDlDYgsm7J5EK+owRy+/pX/bLzMuwwkqDCzJHsaV3PlwsBvheHqsMzhlKb8
fz7AlVmomO2wVowR2weBx41LamDCdXhqPstaK2JoZup4/rcW6fAMBkZDqfF7SPQw
PpiKRec+pBXOPPjO39YdcSb6zUq4W2XeycqGOBLyLLa1EG30ipU/25rJBFEgEkds
YeBFgdFTlWdnyqMeKxd43qcxaBmtjdFNO7UXRTBPHwzqMUNCRz2FbzwwbdsBLdjl
dzzV0POclsPR/uM2m/5tBbdeXZPIAXRWlO4nPtPn444Unk+mQ0d1zT7QtJ5qiW2q
l7PiNK27dZIPZKEKDZaKlWB+tKKWFC7qiAsnIJtIJoiH7VFF595jvwm8vhhfyDpq
UduecmJxjCAmtBmVdgDd6ZJoeZyXmvOdpQnpMBEMtkJmwlFd756Mzrsy71eS95jf
G+FObNMbmVusZ8ZbOsno+R8eHudvo55ykfU5xdVBlraWM2OGaiyP9oy98CqkoB4r
2dLS88y7r2aZEJWEqlfpr7BhY8Zf1GV86eT9lnLBJOYk3E3dQR1x2d3EyqQplGOj
1W+QfvWrk18mKhOJl78Lne1qeGsq1DEhjg9alyV0CH50HI2rha41+vVoNQsD7I6c
iGY+keXTX6HEDoSOUduG
=zvIL
-----END PGP SIGNATURE-----

At Sun, 28 Apr 2019 19:42:40 +0100 CentOS mailing list <centos at
centos.org> wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Sun, 2019-04-28 at 14:25 -0400, Robert Heller wrote:
> > At Sun, 28 Apr 2019 18:53:21 +0100 CentOS mailing list <centos at
centos.org>
> > wrote:
> > 
> > > 
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > > 
> > > On Sun, 2019-04-28 at 12:11 -0400, Robert Heller wrote:
> > > > I am having this problem on Ubuntu 18.04 -- I manage a batch
of desktop
> > > > machines with some convience desktop launchers, which gnome3
insists are
> > > > "untrusted". With some general websearching
reveals that this is a
> > > > *GNome3*
> > > > so-called "security" issue
> > > > (https://gitlab.gnome.org/GNOME/nautilus/commit/1630f5348).
I found a
> > > > thread
> > > > on the CentOS Forums (I don't have an account there),
where another
> > > > sysadmin
> > > > is strugling with this issue:
> > > > 
> > > >
https://www.centos.org/forums/viewtopic.php?f=47&t=65864&start=10
> > > > 
> > > > If anyone has come up with a script that can be dropped into
> > > > ~/.config/autostart/ to "fix" this
"feature" of gnome3 I would be
> > > > interested 
> > > > in it.
> > > > 
> > > > 
> > > 
> > > Hi,
> > > 
> > > Just chmod +x the desktop files.
> > 
> > That is NOT the problem...
> > 
> > > 
> > > That or teach the users how to do things correctly.
> > > 
> > 
> > Oh, yeah, you really think I am going to get very far telling
*non-techies*
> > to:
> > 
> > 1) Open up a terminal (right-click on the desktop and select
"Open Terminal")
> > 2) Type at the shell prompt (huh? what is a "shell prompt")
> > 
> >    /usr/local/bin/arduino &
> >    
> > OR
> >    gnucash &
> >    
> > OR
> > 
> >    scratch &
> >    
> > These happen to be the three desktop shortcuts I am providing.  Yes,
the last
> > two can be found by searching through all available applications, if
they
> > know what to look for.  It is so much easier to say: click on the
light
> > blue-green infinity sign for Arduino, click on the pile of money for
GnuCash,
> > or click on the scratch cat for scratch.
> > 
> > 
> 
> Hi,
> 
> 1. Do not jump to caps and shout at me. Not polite and will not get you
> anywhere.
> 
> Ok, go back to a debian based list and learn how to bundle the applications
> yourself. This way you can supply all the required desktop files. If you
cannot
> do this, get another job.
> 
> I would test this on debian stable as I was the author of the backported
> security patch. However, I am not inclined to do so.
It is not a debian specific problem. It is a Gnome3 / nautilus issue. The
Gnome3 devs have basically decided that nautilus should not be in the business
of launching applications. So the use of desktop shortcuts to run applications
is depreciated / discurraged with gnome3. The problem also exists for CentOS
7. I found a solution: use gio to set the trusted metadata in a startup
application (script run from ~/.config/autostart/).
> 
> Regards
> 
> Phil
> 
> - -- 
> *** If this is a mailing list, I am subscribed, no need to CC me.***
> 
> Playing the game for the games sake.
> 
> Twitter: kathenasorg
> IRC: kathenas
> Web: https://kathenas.org
> Github: https://github.com/kathenas
> GitLab: https://gitlab.com/kathenas
> 
> GPG: A0C3 4C6A AC2B B8F4 F1E5 EDF4 333F 60DC B0B9 BB77
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
> 
> iQIcBAEBAgAGBQJcxfQgAAoJEDM/YNywubt3gSYQAIypXswVX59FBVlbz5evtF49
> mJRqF6gm4xiHg1SFCt0IWDxFf+fNPkQOfmfE47dVqwWRIezsqNHzmFzog3oyZg2h
> UzsOg/JsSFTjxqIg+9YLR848+cRCFxuJEmkegeBApGQj+Rx3l3nfAWANQCLL2j9l
> iLU8cwH7oFBr9F4stkkL9ypbaRtnqgL1Mz0f+gXuhbcUkRHDCcIoKJTa8jPG9Kpx
> Knl5Z0JAY7P07y72iZ/E1ZWvh/pkaeOljJwMwR51V5vgqZifrVPZzNL3SWxXJEQY
> BnWYyanEBR0ZuLGjd2Nd6JgrKFGhx6Q1BfqgWuGQGGQ3bRN2LfjKUfoKnGhW9NWj
> yWFvKIX1hkVaTBK1Iww8oesp1zb89CbzRY0ga34x0uI9nvXbVo6eNpou6QiinipQ
> T2ioVVuaEHALit7htm8TP88L4Y3pcCuaTF2e9KSp9RE4XjLmeOH/pcgDnRw3K8o3
> 84pdVVvjQuQClofoqFCCzdaMat03ZAKjVDFHiCDAFpmkbxJhvcal7rEAHr9GP/yU
> rmDevz9BDKrW1HtPQtLy7Ws2WP+LjkaXPEh5W/k81am8SM1FDB0sSZ/t0XDIXVAl
> f3xmZnTlwXl6jwoH94uYIj3oAoDeh2Q8AA6pu3tYhrUMcih9heEHQAq5D6fV3IFK
> pBef5IfjuzltOMP+XgMz
> =AfW7
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
> 
>           
-- 
Robert Heller             -- 978-544-6933
Deepwoods Software        -- Custom Software Services
http://www.deepsoft.com/  -- Linux Administration Services
heller at deepsoft.com       -- Webhosting Services