Review Request 117157: Unlock session via DBus
mpyne at kde.org
Sun Mar 30 22:25:58 BST 2014
On Sat, March 29, 2014 15:25:59 Thiago Macieira wrote:
> Em sáb 29 mar 2014, às 12:25:48, Martin Gräßlin escreveu:
> > no, the lockscreen is secure. If you are logged in at a tty there is no
> > way
> > to unlock the screen - the only way to bypass the lock is to kill
> > ksmserver
> > which results in the session being killed.
> You can attach gdb to ksmserver and make it think that the authentication
> was successful for whichever password was typed.
I'll note I've actually done this before, during the development process for
the new QML-based screenlocker.
The screenlocker at that time would often simply not show the UI for entering
the password for whatever reason and leave me completely locked out of the
desktop... talk about lame! ;)
With that in mind I'd love to have a "more official" way to tear down the
screenlocker from a separate same-user login. If you think being able to
unlock a screenlocker is bad security, wait until you figure out that a same-
user login can also copy your KWallet passwords out of your running kwalletd
if you have it unlocked (something which can be queried over DBus as well). In
fact the list of folders and keys present in KWallet (though not their values)
can be queried without unlocking KWallet, or even causing it to prompt to
And remember the threat model: Who are we locking the screen again? A
physically-present adversary. If they can gain access to a TTY login we are
already screwed, especially if they have enough skill to manually hack the
qdbus command line invocations needed.
- Michael Pyne
More information about the kde-core-devel