Security Audit Request for Screenlocker Branch

Thomas Lübking thomas.luebking at gmail.com
Tue Oct 11 15:33:39 BST 2011 

Am Tue, 11 Oct 2011 16:00:17 +0200
schrieb Martin Gräßlin <mgraesslin at kde.org>:

> On Tuesday 11 October 2011 16:06:11 Andras Mantia wrote:
> > This is not true, the system can be used without a window manager
> > and if you happen to have a running terminal or start one, it is
> > possible to start a new window manager (which might not be kwin)
> > and access everything.
> yes if you have a terminal open and if it is the top most of stacking
> order it is possible to start another window manager. If that is not
> the case you are not able to start anything as KRunner or kickoff
> cannot be opened.

Just for the records: if you've shortcuts to other runners or a
terminal, they usually/often work (autoraising & bypassing the WM
anyway)
Also it's not required to have the terminal on top of the stack - i've
always been very successful abusing MMB c&p to clickpaste me any
command i wanted ;-)
Overmore some rmb popup plasmoids could provide direct WM starting.

Once the screen locker crashes, security must be assumed
broken (if only by visual access).
Therefore the locker must not crash and if it does, re-established asap
(and best: log the incident and message the user)

This is of course no different for any kind of screen locking process.

As kwin is nevertheless a pretty complex piece of software, one *might*
end up providing a 10 line X11 only watchdog process which monitors kwin
and if it crashes
a) grabs the server and paints it black
b) ensures kwin to come back (in locking mode)

This is not very eye-candy, but a (pot. only optional) LLoD (for more
hostile environments than joe users living room - while i must admit
that systems that keep or access really crucial information... well,
let's say KDE doesn't fit them at all.
And neither would MacOS or -omg- Windows ;-)

> I myself have never run into a situation where KWin did not restart
> except for development issues (broken setup due to incompatible
> Oxygen client deco and Oxygen lib or PEBKAC during development).
Any overflow has the potential to invalidate signal handling, but it's
of course nearly impossible to predict or enforce.
And of course if you manage to crash out the counter.

Cheers,
Thomas

More information about the kde-core-devel mailing list