<table><tr><td style="">fvogt added a comment.
</td><a style="text-decoration: none; padding: 4px 8px; margin: 0 8px 8px; float: right; color: #464C5C; font-weight: bold; border-radius: 3px; background-color: #F7F7F9; background-image: linear-gradient(to bottom,#fff,#f1f0f1); display: inline-block; border: 1px solid rgba(71,87,120,.2);" href="https://phabricator.kde.org/D10141" rel="noreferrer">View Revision</a></tr></table><br /><div><div><blockquote style="border-left: 3px solid #8C98B8;
color: #6B748C;
font-style: italic;
margin: 4px 0 12px 0;
padding: 8px 12px;
background-color: #F8F9FC;">
<div style="font-style: normal;
padding-bottom: 4px;">In <a href="https://phabricator.kde.org/D10141#203545" style="background-color: #e7e7e7;
border-color: #e7e7e7;
border-radius: 3px;
padding: 0 4px;
font-weight: bold;
color: black;text-decoration: none;" rel="noreferrer">D10141#203545</a>, <a href="https://phabricator.kde.org/p/chinmoyr/" style="
border-color: #f1f7ff;
color: #19558d;
background-color: #f1f7ff;
border: 1px solid transparent;
border-radius: 3px;
font-weight: bold;
padding: 0 4px;" rel="noreferrer">@chinmoyr</a> wrote:</div>
<div style="margin: 0;
padding: 0;
border: 0;
color: rgb(107, 116, 140);"><blockquote style="border-left: 3px solid #8C98B8;
color: #6B748C;
font-style: italic;
margin: 4px 0 12px 0;
padding: 8px 12px;
background-color: #F8F9FC;">
<div style="font-style: normal;
padding-bottom: 4px;">In <a href="https://phabricator.kde.org/D10141#197039" style="background-color: #e7e7e7;
border-color: #e7e7e7;
border-radius: 3px;
padding: 0 4px;
font-weight: bold;
color: black;text-decoration: none;" rel="noreferrer">D10141#197039</a>, <a href="https://phabricator.kde.org/p/fvogt/" style="
border-color: #f1f7ff;
color: #19558d;
background-color: #f1f7ff;
border: 1px solid transparent;
border-radius: 3px;
font-weight: bold;
padding: 0 4px;" rel="noreferrer">@fvogt</a> wrote:</div>
<div style="margin: 0;
padding: 0;
border: 0;
color: rgb(107, 116, 140);"><p>There is one issue I have with this. While this is close to the <tt style="background: #ebebeb; font-size: 13px;">sudo</tt>-mode of temporary authorization grants, it doesn't work that way as the whole session has full access via file.so.</p></div>
</blockquote>
<p>How exactly? Is there any way for an application to choose a slave process instead of being assigned one at random?</p></div>
</blockquote>
<p>There isn't. Which makes any mitigation attempt impossible.</p>
<blockquote style="border-left: 3px solid #a7b5bf; color: #464c5c; font-style: italic; margin: 4px 0 12px 0; padding: 4px 12px; background-color: #f8f9fc;"><p>Till now what I have observed is after a successful authentication only the slave process is authorised to perform the action and not the application itself. So if a malicious app wants to perform some kind of privileged file operation then it has to (somehow) pick up a slave that had been already authorized. And even if that were possible the slave will still show a confirmation dialog.</p></blockquote>
<p>Yes, this is a design issue and why I don't think this can ever be made secure without disabling Persistence completely.</p>
<blockquote style="border-left: 3px solid #a7b5bf; color: #464c5c; font-style: italic; margin: 4px 0 12px 0; padding: 4px 12px; background-color: #f8f9fc;"><blockquote style="border-left: 3px solid #a7b5bf; color: #464c5c; font-style: italic; margin: 4px 0 12px 0; padding: 4px 12px; background-color: #f8f9fc;"><p>It would be great if this could work with just the application which initially requested the privilege.<br />
With this, the whole session has full root-level access to literally everything on the system.</p></blockquote>
<p>I do understand having authorization persist for the entire session means disaster but when kauth generates the policy file this option only results in "auth_admin_keep". <br />
Polkit's manpage says : <strong>auth_admin_keep - Like auth_admin but the authorization is kept for a brief period (e.g. five minutes).</strong></p>
<p>Also when I execute <strong>pkcheck --list-temp</strong> after authenticating a file operation started by dolphin the output I get includes these lines</p>
<div class="remarkup-code-block" style="margin: 12px 0;" data-code-lang="text" data-sigil="remarkup-code-block"><pre class="remarkup-code" style="font: 11px/15px "Menlo", "Consolas", "Monaco", monospace; padding: 12px; margin: 0; background: rgba(71, 87, 120, 0.08);">subject: unix-process:9532:1210162 (file.so [kdeinit5] file local:/run/user/1000/klauncherTJ7042.1.slave-socket local:/run/user/1000/kioslavetestAX7208.3.slave-socket)
expires: 4 min 47 sec from now (Fri Feb 9 21:43:47 2018)</pre></div>
<p>This suggests <strong>auth_admin_keep</strong> results in temporary authorization of one particular process for 5 minutes and not for the entire user session.<br />
So can you explain me one more time why you think persistence=session is a bad idea? Do correct me if I got anything (or everything?) above wrong.</p></blockquote>
<p>Session refers to two independant things: The time from login to logout and all processes started by the user.<br />
The latter meaning is the issue.<br />
Now imagine you have a proprietary application running on wayland. It can just wait until you try to make a change using the kauth helper and then just<br />
inject its own files somewhere. Currently it does not even have to be a change, reading a file is enough as the helper does not care.</p></div></div><br /><div><strong>REPOSITORY</strong><div><div>R241 KIO</div></div></div><br /><div><strong>REVISION DETAIL</strong><div><a href="https://phabricator.kde.org/D10141" rel="noreferrer">https://phabricator.kde.org/D10141</a></div></div><br /><div><strong>To: </strong>elvisangelaccio, lbeltrame, dfaure, davidedmundson, fvogt, chinmoyr<br /><strong>Cc: </strong>Frameworks, michaelh, ngraham<br /></div>