Review Request 117157: Unlock session via DBus

Kirill Elagin kirelagin at gmail.com
Sat Mar 29 12:22:51 GMT 2014



> On March 29, 2014, 12:05 p.m., Martin Gräßlin wrote:
> > I also have problems imagining what a use case for this is and I consider this as a security issue. It basically means that the session can get unlocked without going through authentication.
> 
> Kirill Elagin wrote:
>     You have to authenticate anyway to access the DBus session bus.
> 
> Martin Gräßlin wrote:
>     and running applications? It would allow $evilsecretservice to unlock the screen when $agent needs to use the system after remote installing some software. Since Snowden this doesn't sound so far fetched any more (unfortunately).
> 
> Thomas Lübking wrote:
>     you need access to a random shell of that user (what does not imply you actively logged into it), but can expose another session that pot. allows access to other logins (mail, webservices, even banking)
>     
>     this should (by default) no way be possible. any way to circumvent authentication to this very session should be guarded by a special "knowwhatido" key or require active authentication (ie. passing the pass hash via dbus - what's insecure enough by itself)

If you've installed your evil software you already have a thousand of ways of accessing the system.
My point is: if you've got privileges to issue this DBus call, you already have privileges to bypass the lockscreen. This is just a _sane_ way of doing so, because if you're an $evilagent you don't care how many lines of shell code it will take you to bypass the lockscreen, but if you are the user, it starts to matter.


- Kirill


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://git.reviewboard.kde.org/r/117157/#review54538
-----------------------------------------------------------


On March 29, 2014, 11:58 a.m., Kirill Elagin wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://git.reviewboard.kde.org/r/117157/
> -----------------------------------------------------------
> 
> (Updated March 29, 2014, 11:58 a.m.)
> 
> 
> Review request for kde-workspace.
> 
> 
> Bugs: 314989
>     http://bugs.kde.org/show_bug.cgi?id=314989
> 
> 
> Repository: kde-workspace
> 
> 
> Description
> -------
> 
> Unlock session via DBus
> 
> Make org.freedesktop.ScreenSaver.SetActive(false) unlock session.
> 
> 
> Diffs
> -----
> 
>   plasma-workspace/ksmserver/screenlocker/interface.cpp ecb30a37b1a207cf9dab8c53b1b879108a99a45b 
>   plasma-workspace/ksmserver/screenlocker/ksldapp.h b292b62f4df073fff31bcbfd0e39f4c4fe04c92d 
>   plasma-workspace/ksmserver/screenlocker/ksldapp.cpp f2e5262524447e8ae1df1fbf6543297c3be3e6b8 
> 
> Diff: https://git.reviewboard.kde.org/r/117157/diff/
> 
> 
> Testing
> -------
> 
> I've tested this with KDE 4.11.5 which I'm currently running.
> Rebasing to master was completely trivial; I've looked through the code and I believe all the assumptions I made are still valid in master.
> 
> 
> Thanks,
> 
> Kirill Elagin
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20140329/40ca361f/attachment.htm>


More information about the kde-core-devel mailing list