Review Request 117157: Unlock session via DBus

Michael Pyne mpyne at kde.org
Sun Mar 30 22:25:58 BST 2014


On Sat, March 29, 2014 15:25:59 Thiago Macieira wrote:
> Em sáb 29 mar 2014, às 12:25:48, Martin Gräßlin escreveu:
> > no, the lockscreen is secure. If you are logged in at a tty there is no
> > way
> > to unlock the screen - the only way to bypass the lock is to kill
> > ksmserver
> > which results in the session being killed.
> 
> You can attach gdb to ksmserver and make it think that the authentication
> was successful for whichever password was typed.

I'll note I've actually done this before, during the development process for 
the new QML-based screenlocker.

The screenlocker at that time would often simply not show the UI for entering 
the password for whatever reason and leave me completely locked out of the 
desktop... talk about lame! ;)

With that in mind I'd love to have a "more official" way to tear down the 
screenlocker from a separate same-user login. If you think being able to 
unlock a screenlocker is bad security, wait until you figure out that a same-
user login can also copy your KWallet passwords out of your running kwalletd 
if you have it unlocked (something which can be queried over DBus as well). In 
fact the list of folders and keys present in KWallet (though not their values) 
can be queried without unlocking KWallet, or even causing it to prompt to 
unlock.

And remember the threat model: Who are we locking the screen again? A 
physically-present adversary. If they can gain access to a TTY login we are 
already screwed, especially if they have enough skill to manually hack the 
qdbus command line invocations needed.

Regards,
 - Michael Pyne




More information about the kde-core-devel mailing list