I think this is missing the main problem with security on a Linux Desktop, the user. All an attacker has to do is to convince the user to run InstallSteamWithAllGamesUnlockedForFree.sh You know, the AnnaKurnikovaSexTape.exe of the windows world.
This is an education problem and no amount of tech is going to fix it.
Even if dbus didn't have this problem, this is my hardware, I'll do what I want! That's the whole point of Linux.
nearly everything talks dbus, even browser extensions.
It’s even more serious than running untrusted shell scripts.
That's not the problem. The real problem is that if I convince you to run my script, it's going to be quite easy to convince you to give me extra permissions, so I can get to your data. It really irks me when things like Cargo are doing exactly that, make me run a sh script. Cargo and the likes, are making running sh scripts way too common.
I assume you mean rustup, not cargo specifically or am I wrong?
cargo builds/runs build.rs in the background
Yeah, that was a brain fart.
browser extensions? you mean like Chrome ones etc? never heard of that being a thing
plasma integration and gnome-shell integration do, and those are open source so you can see for yourself.
It’s also very common for password manager extensions like 1password and bitwarden.
Forget running some random downloaded shell script, just needs to convince the user to curl some-url/do-some-cool-thing | bash.