267977 - Downloads matching certain mime types should be automatically marked +x

Status: RESOLVED EXPIRED

(Toolkit :: Downloads API, enhancement)

Description

[Mike Hearn]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20040914 Firefox/0.10.1
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20040914 Firefox/0.10.1

Currently if you download a script (like a Loki self-extracting installer) it is
not marked executable. This means it's difficult to run it: if you are new to
Linux and don't happen to know that you must give programs executable permission
before you can run them, it's effectively impossible to install the software you
just paid for in an online store.

For certain mime-types, the download should be marked as executable
automatically (but not run automatically).

You may be thinking this reduces security. It doesn't: it's possible to run non
+x programs even on noexec mounts. It's not even difficult on Linux, and there
are about a million ways of doing so. This isn't really possible to fix. If the
user has downloaded an executable file, they probably want to run it. File
managers like Nautilus (GNOME) already ask the user to confirm before running
executable files, so there's no need to make the user jump through two hoops
instead of one, this reduces usability for no gain.

Why implement this in Mozilla rather than simply make Linux file managers ignore
the +x bit? Simply, because that way knowledge about how to run scripts is kept
out of the file/mime system so it's harder to abuse from email clients which
probably don't want to auto-execute attachments which are far easier to shove in
the users face than downloads are.

If you are thinking users should just learn how to set the +x bit from their
file manager of choice, then I have several angry customers I can forward to you
who bought software from the company I work for then asked for a refund as they
couldn't figure out how to run the installer. 

Setting the +x bits on downloads of certain mime types (sniffing not necessary,
we can configure the server-side correctly) makes life easier for the user, and
doesn't reduce security. So let's do it! :)

thanks -mike

Reproducible: Always
Steps to Reproduce:

Comment 1

[Gervase Markham [:gerv]]

This is an automated message, with ID "auto-resolve01".

This bug has had no comments for a long time. Statistically, we have found that
bug reports that have not been confirmed by a second user after three months are
highly unlikely to be the source of a fix to the code.

While your input is very important to us, our resources are limited and so we
are asking for your help in focussing our efforts. If you can still reproduce
this problem in the latest version of the product (see below for how to obtain a
copy) or, for feature requests, if it's not present in the latest version and
you still believe we should implement it, please visit the URL of this bug
(given at the top of this mail) and add a comment to that effect, giving more
reproduction information if you have it.

If it is not a problem any longer, you need take no action. If this bug is not
changed in any way in the next two weeks, it will be automatically resolved.
Thank you for your help in this matter.

The latest beta releases can be obtained from:
Firefox:     http://www.mozilla.org/projects/firefox/
Thunderbird: http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html
Seamonkey:   http://www.mozilla.org/projects/seamonkey/

Comment 2

[Gervase Markham [:gerv]]

This bug has been automatically resolved after a period of inactivity (see above
comment). If anyone thinks this is incorrect, they should feel free to reopen it.