Making kwallet more secure

[Michael Pyne]

On Saturday 23 August 2008, Oswald Buddenhagen wrote:
> On Sat, Aug 23, 2008 at 12:21:47PM +0200, Michael Leupold wrote:
> > - Can I trust the information about the caller that's provided on
> > receiving a message? If so I could use the interfaces to figure out
> > the caller's PID and get more information to present to the user. I
> > could also set ACLs based on the caller's path.
>
> even if you could trust this information, it would be completely
> useless: one user's processes can interfere with each other to their
> liking. that's why i told you that any such security model is worthless
> unless you integrate it with SE linux or some other sandboxing solution
> (and it is actually deployed by the user, which won't be the case for
> the vast majority of desktop users).

indeed, you can encrypt your channel as much as you want but if you have 
untrusted code running on the same then they can simply get around all that by 
snooping around in the kwallet kded program (i.e. however gdb helps you debug 
processes, that same mechanism can be used for EVIL...)

You would have to ensure that the kwallet daemon runs as a different user as a 
minimum I would think.  I wonder how ssh-agent and gpg-agent handle it though, 
maybe I'm thinking this through wrong and there's a syscall that can lock 
memory even away from different pids owned by the same user.

Regards,
 - Michael Pyne

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20080823/45c45382/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20080823/45c45382/attachment.sig>