Review Request 117157: Unlock session via DBus

Thiago Macieira thiago at
Sun Mar 30 19:53:01 BST 2014

Em dom 30 mar 2014, às 19:38:14, Thomas Lübking escreveu:
> > I disagree. The user already authenticated via their password 
> I should have been more precise in the first sentence:
>    Unlocking via a dbus command [that requires password authentication] is
> imo very problematic [because that will end up exposing the password
> on-disk]

How does the password end up on disk?

> > before they were able to send the D-Bus command in the first place. 
> > So why not allow them to unlock?
> Because we protect the session, not the shell.
> Occasional access will already be stopped by having to use gdb in the first
> place and even then it's possible to protect the process from manipulation
> by the same UID.

I maintain that this is not a protection. Unlocking without a password remains 
possible, but you're making it difficult for those of us who tinker with KDE and 
sometimes misconfigure the authentication. In the past, I could kill a process 
when I had improperly installed KDE and the greeter couldn't authenticate via 
PAM. Now I have to kill ksmserver or cause the session to exit via D-Bus.

All processes by the same user should be trusted.

Thiago Macieira - thiago (AT) - thiago (AT)
   Software Architect - Intel Open Source Technology Center
      PGP/GPG: 0x6EF45358; fingerprint:
      E067 918B B660 DBD1 105C  966C 33F5 F005 6EF4 5358

More information about the kde-core-devel mailing list