Review Request 117157: Unlock session via DBus

Thomas Lübking thomas.luebking at gmail.com
Sat Mar 29 12:19:47 GMT 2014 


> On March 29, 2014, 12:05 p.m., Martin Gräßlin wrote:
> > I also have problems imagining what a use case for this is and I consider this as a security issue. It basically means that the session can get unlocked without going through authentication.
> 
> Kirill Elagin wrote:
>     You have to authenticate anyway to access the DBus session bus.
> 
> Martin Gräßlin wrote:
>     and running applications? It would allow $evilsecretservice to unlock the screen when $agent needs to use the system after remote installing some software. Since Snowden this doesn't sound so far fetched any more (unfortunately).

you need access to a random shell of that user (what does not imply you actively logged into it), but can expose another session that pot. allows access to other logins (mail, webservices, even banking)

this should (by default) no way be possible. any way to circumvent authentication to this very session should be guarded by a special "knowwhatido" key or require active authentication (ie. passing the pass hash via dbus - what's insecure enough by itself)


- Thomas


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://git.reviewboard.kde.org/r/117157/#review54538
-----------------------------------------------------------


On March 29, 2014, 11:58 a.m., Kirill Elagin wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://git.reviewboard.kde.org/r/117157/
> -----------------------------------------------------------
> 
> (Updated March 29, 2014, 11:58 a.m.)
> 
> 
> Review request for kde-workspace.
> 
> 
> Bugs: 314989
>     http://bugs.kde.org/show_bug.cgi?id=314989
> 
> 
> Repository: kde-workspace
> 
> 
> Description
> -------
> 
> Unlock session via DBus
> 
> Make org.freedesktop.ScreenSaver.SetActive(false) unlock session.
> 
> 
> Diffs
> -----
> 
>   plasma-workspace/ksmserver/screenlocker/interface.cpp ecb30a37b1a207cf9dab8c53b1b879108a99a45b 
>   plasma-workspace/ksmserver/screenlocker/ksldapp.h b292b62f4df073fff31bcbfd0e39f4c4fe04c92d 
>   plasma-workspace/ksmserver/screenlocker/ksldapp.cpp f2e5262524447e8ae1df1fbf6543297c3be3e6b8 
> 
> Diff: https://git.reviewboard.kde.org/r/117157/diff/
> 
> 
> Testing
> -------
> 
> I've tested this with KDE 4.11.5 which I'm currently running.
> Rebasing to master was completely trivial; I've looked through the code and I believe all the assumptions I made are still valid in master.
> 
> 
> Thanks,
> 
> Kirill Elagin
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20140329/10625849/attachment.htm>

More information about the kde-core-devel mailing list