Why do I have to permit permanent user write access to the XSplash image folder for the "Use Desktop Background" option and is it save to do so?

Created by meerkat on on 2010-02-01

The "Use Desktop Background" option dynamically synchronizes the XSplash background with the users desktop background. This means everytime the user changes his desktop background this image is converted to jpeg format and copied to the XSplash image folder. As this is one by a user process permanent user write access to that folder is needed (otherwise the user would have to type his password everytime he changes his desktop background). As XSplash always uses the same images and doesnt distinguish between different user (before the login that wouldnt be possible anyway), this folder is outside the user folder hierarchy which is traditionally the only one with permanent user write access. So granting user write access to this folder violates this base security concept. On the other hand write access to that folder only means, that anyone having access to your computer (either direct or through malicious software) will be able to change background, logo and throbber of your XSplash screen. This may be used for offending jokes or to cause XSplash to crash. However this would neither disturb the boot process nor affect any other system components. Normally on a private single user system this should be perfectly save, as only one user has direct access to the computer (or at least only trusted users have) and average systems are well protected from malicious software. On multi user systems and especially public ones on the other hand, any user could easily manipulate the XSplash screen. This is one reason, why this option is not recommended for multi user systems.