Review Request 117157: Unlock session via DBus
thiago at kde.org
Sun Mar 30 23:36:29 BST 2014
Em seg 31 mar 2014, às 00:01:13, Thomas Lübking escreveu:
> > If they can gain access to a TTY login we are already screwed
> leaving aside the present issue (/MainApplication quit being exposed to
> dbus) and given ptrace (gdb solution) is denied: in how far? (beyond
> killing the session, ie. being a nasty little jerk
They can already access all of the other applications and the user's files.
They can attach gdb to any of the user processes. They can listen to all
messages on D-Bus. They can attach to any IPC mechanism the user has access
They can also launch new X applications. So they may not cause the session to
unlock, but they can still launch a keylogger application that will take effect
when the legitimate user returns and unlocks the screen.
And, oh, the attacker can change the user's password! If it's a matter of
unlocking the screen, they can use passwd to change the password, unlock the
screen with the new password and then happily use the running session.
Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org
Software Architect - Intel Open Source Technology Center
PGP/GPG: 0x6EF45358; fingerprint:
E067 918B B660 DBD1 105C 966C 33F5 F005 6EF4 5358
More information about the kde-core-devel