[PATCH] Kwallet optional owner based access control

Jonathan Verner jonathan.verner at matfyz.cz
Thu Apr 10 12:53:14 BST 2008 

Hi, 

> The appID thing is not spoof-safe -- anyone can craft DCOP or DBUS 
> messages with a fake sender ID in them.

now that I think about it, the current approach doesn't seem
to be secure, even without spoofing the appID:

Since the list of applications which are allowed to access the 
wallet automatically is listed in a configuration file, anyone who 
can tamper with the configuration (which is generaly any 
application run by the user), can gain access to the wallet, once 
it is open.

Wouldn't it be better to store the list of allowed applications in 
the wallet (hopefully the cipher is tamper-proof)?

For this to work securely, we would however need a 'spoof-safe'
way to know which application is actually calling us. But this seems 
impossible with DBUS. If the application uses a library call 
however, we might have a chance (at least on linux: getpid + the 
proc filesystem)

But this would still be open to attack, since the attacking 
application will usually have access to the memory of the kded 
server and can read the wallet from there, or is this not true?

Maybe an even better approach would be to allow the user to
mark some entries in the wallet as sensitive and these entries would
always require the user to enter the 'master' password. These 
entries would also need to not be kept in memory.

> I thought the solution to your problem was to create multiple 
wallets?
>(I'm not sure how applications know which wallet to ask for, 
though)

That would be akin to the last approach (always asking for a 
password on sensitive data), but I do not know how to tell 
e.g. konqueror to look for some data in a different wallet then 
other data...

What do you think about the approaches I have thought of? Is
there a better one? Or is it not worth bothering?

Anyway, in the light of what was said, it seems the patch I sent is 
worthless :-)

Have a nice day, 

Jonathan Verner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20080410/87e3bf2f/attachment.sig>

More information about the kde-core-devel mailing list