<html>
<body>
<div style="font-family: Verdana, Arial, Helvetica, Sans-Serif;">
<table bgcolor="#f9f3c9" width="100%" cellpadding="12" style="border: 1px #c9c399 solid; border-radius: 6px; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
<tr>
<td>
This is an automatically generated e-mail. To reply, visit:
<a href="https://git.reviewboard.kde.org/r/126102/">https://git.reviewboard.kde.org/r/126102/</a>
</td>
</tr>
</table>
<br />
<blockquote style="margin-left: 1em; border-left: 2px solid #d0d0d0; padding-left: 10px;">
<p style="margin-top: 0;">On November 18th, 2015, 2:57 nachm. UTC, <b>Matthias Klumpp</b> wrote:</p>
<blockquote style="margin-left: 1em; border-left: 2px solid #d0d0d0; padding-left: 10px;">
<pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;"><p style="padding: 0;text-rendering: inherit;margin: 0;line-height: inherit;white-space: inherit;">It just wanted to write what David wrote ;-)
Maybe a way to resolve this is to filter environment variables in KWin or before starting KWin, so anything pointing to directories in $HOME gets stripped away (unsetting LD_* variables might also be part of that).</p></pre>
</blockquote>
<p>On November 18th, 2015, 3:10 nachm. UTC, <b>Martin Gräßlin</b> wrote:</p>
<blockquote style="margin-left: 1em; border-left: 2px solid #d0d0d0; padding-left: 10px;">
<pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;"><p style="padding: 0;text-rendering: inherit;margin: 0;line-height: inherit;white-space: inherit;">well that are many possible variables and it might be a terrible catch up game with any new variable Qt includes. It at least would affect:
- LD_LIBRARY_PATH
- QT_PLUGIN_PATH
- PATH
- LD_PRELOAD (see general LD_PRELOAD Wayland keylogger hack)
- some QML variables which I don't know right now
- anything else I don't remember right now
- any aliases (one could do alias kwin_wayland="something evil"
- any bash functions.</p>
<p style="padding: 0;text-rendering: inherit;margin: 0;line-height: inherit;white-space: inherit;">Ideally there just shouldn't be any scripts sourced before kwin gets started</p></pre>
</blockquote>
</blockquote>
<pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;"><p style="padding: 0;text-rendering: inherit;margin: 0;line-height: inherit;white-space: inherit;">I was thinking more of an "unset all => set what's needed" workflow. Aliases can be worked around by giving absolute paths in the script.
Still, it isn't nice and unfortunately some of those scripts need to be sourced because of $HISTORIC_REASON or simply because users expect it, or - in case of .pam_environment - because it's a global distro default.
The only way around that would be starting KWin before SDDM starts (which would have it's own problems, as far as I can see).
Meh :-/</p></pre>
<br />
<p>- Matthias</p>
<br />
<p>On November 18th, 2015, 8:18 vorm. UTC, Martin Gräßlin wrote:</p>
<table bgcolor="#fefadf" width="100%" cellspacing="0" cellpadding="12" style="border: 1px #888a85 solid; border-radius: 6px; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
<tr>
<td>
<div>Review request for Plasma.</div>
<div>By Martin Gräßlin.</div>
<p style="color: grey;"><i>Updated Nov. 18, 2015, 8:18 vorm.</i></p>
<div style="margin-top: 1.5em;">
<b style="color: #575012; font-size: 10pt;">Repository: </b>
plasma-workspace
</div>
<h1 style="color: #575012; font-size: 10pt; margin-top: 1.5em;">Description </h1>
<table width="100%" bgcolor="#ffffff" cellspacing="0" cellpadding="10" style="border: 1px solid #b8b5a0">
<tr>
<td>
<pre style="margin: 0; padding: 0; white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;">This change makes sure that the environment scripts are not sourced
before KWin is started. No user installed scripts are allowed to modify
KWin's environment as that opens an attack vector.
For example any binary plugin loaded into KWin (be it QStyle, QPT plugin,
etc.) is able to become a key logger. If the env variables were allowed
to be sourced before KWin is started a malicious application run as user
(e.g. exploiting browser vulnerability) would be able to install a key
logger. Required steps:
1. install a malicious QStyle plugin somewhere in $HOME
2. place a script in env to adjust variables to load the QStyle plugin
This would be enough to have a key logger on next login.
Given that the startup of KWin must not be affected by any scripts
owned by user prior to startup.
The env scripts are now sourced as first step of startplasma, so
for applications in the session there is no difference.</pre>
</td>
</tr>
</table>
<h1 style="color: #575012; font-size: 10pt; margin-top: 1.5em;">Diffs</b> </h1>
<ul style="margin-left: 3em; padding-left: 0;">
<li>startkde/startplasma.cmake <span style="color: grey">(8360a636d3f68c957a15158484360a611cfe3ff8)</span></li>
<li>startkde/startplasmacompositor.cmake <span style="color: grey">(8b5db615142455fd360c66504fc5d5a7754a029c)</span></li>
</ul>
<p><a href="https://git.reviewboard.kde.org/r/126102/diff/" style="margin-left: 3em;">View Diff</a></p>
</td>
</tr>
</table>
</div>
</body>
</html>