What to do with potential workflow-changing / breaking changes?
Martin Gräßlin
mgraesslin at kde.org
Tue Feb 21 20:19:56 GMT 2017
Am 2017-02-21 20:39, schrieb Fabian Vogt:
>> > - Saving clipboard contents, restoring again
>>
>> Pointless as we cannot restore in an app which is going to close down.
>> It needs klipper to be able to restore.
>
> Is there no built-in API in QClipboard for that or is this the issue
> that
> the clipboard on X11 is a weird shared buffer?
The clipboard content is gone when a window closes. That's the primary
reason why klipper exists, that you have a history is just a side
effect.
>
>> > - Disabling pasting into the password field (event filter?)
>>
>> That was my initial thought as well, but I didn't find anything in the
>> Qt API to achieve it.
>
> Wouldn't an event filter capturing Ctrl-V (or however it is implemented
> inside Qt to determine the key combo) and middle mouse work?
> I'm not sure whether that works with QML, I'm still used to good ol'
> QWidgets...
yes, maybe. Maybe not. The filtering in screenlocker is already quite
bad and we don't know in the screenlocker what's the input field. After
all we load the ui through a look'n'feel package.
>> The diff has a problem: it's X11 specific without checking whether we
>> are on X11 (and that early we just don't know. On my system (modern
>> session) both WAYLAND_DISPLAY and DISPLAY are available.)
>
> Yup, as it's not possible to run applications as root on wayland anyway
> I didn't bother to figure out something. By doing 2>/dev/null that
> should work sufficiently on wayland as well, using the cout fallback.
I'm extremely against adding X11 specific code to otherwise
multi-platform applications.
We just make our lifes more difficult and that might bite us in the
backside a few years down.
If we want to do something now, let's do it in a portable,
multi-windowing system way and ignore the fact that right now it
wouldn't work on Wayland anyway.
>
>> I think the detection needs to go into kdesu(do). That would also
>> ensure
>> that we detect the Wayland case which currently also just exits.
>
> What about other methods of launching it? You mentioned polkit, for
> example.
Polkit is not for launching apps as root. It's for doing a certain
action (e.g. saving a file as root).
I'm not aware of any other options except of kdesu(do) or the gnome
version of it, which I don't think we care about.
>
>> I just tried to see what happens:
>> kdesudo dolphin
>> Invalid MIT-MAGIC-COOKIE-1 keyQXcbConnection: Could not connect to
>> display :0
>>
>> That is kdesudo/kdesu could detect whether the process directly failed
>> and show an error message: "Did you try starting a GUI application as
>> root? Several applications protect against it and disallow it. If you
>> want to edit a file consider using sudoedit..."
>>
>> It would mean that we need to change kate to not return 0, but maybe
>> -EPERM?
>
> As it's the goal to disallow applications from running graphically as
> root anyway, maybe kwin is the best place? I'm not too familiar with
> the X11 protocol, but maybe it's possible to detect a new X11
> connection
> and display the warning message to the user and if he selects "Cancel"
> the connection is terminated.
Nope, we don't get this.
> There is a window between the connection getting established and the
> user making a decision, I'm not sure how critical that would be.
Well that's the point: that's too late. You can see this in my review
request. It's of most importance to terminate the application prior to
establishing a connection to the X server. As soon as the connection is
opened we must consider the application as exploited. My attack against
dolphin worked that way to directly interact with the window when it
opens. That is when the x window is opened, not when the window renders.
The result was that the first frame already shows konsole tab opened
with a:
#whoami
root
As soon as we have a window we are completely exploitable through xprops
on the window - I just assume that there is a string processing
vulnerability somewhere in the stack. Also we cannot assume that the
xserver is trusted: it might be a fake one, so just opening the
connection is dangerous. Given the crash reports I get for KWin in
string handling, I'm actually quite certain there is at least one
possibly exploitable crash.
I highly suggest to watch
https://media.ccc.de/v/30C3_-_5499_-_en_-_saal_1_-_201312291830_-_x_security_-_ilja_van_sprundel
which goes into the detail of how insecure X is and why I consider
opening just a connection to xcb is dangerous. The talk also mentions
KDE software, but was wrong in that point (the mentioned software is
secure). Nevertheless this talk is the reason that Qt forbids setuid
applications.
Cheers
Martin
More information about the Distributions
mailing list