Review Request 117157: Unlock session via DBus

Thomas Lübking thomas.luebking at
Mon Mar 31 00:43:22 BST 2014

On Montag, 31. März 2014 00:36:29 CEST, Thiago Macieira wrote:

> They can already access all of the other applications
depends on whether they actively suppress such.

> and the user's files.

> They can attach gdb to any of the user processes.
"depends on whether they actively suppress such."

> They can listen to all messages on D-Bus.
> They can attach to any IPC mechanism the user has access 
> to.
Question is whether applications expose secrets or access to other shells/services via dbus.
Ie. can you highjack an open ssl connection, control banking software etc.

> They can also launch [...] a keylogger 
True and if you enter a password into anything that does not grab the keyboard, this is a general issue of X11 (and if you've physical access to the machine, that doesn't matter either, because you can add a cronjob/service to track the device nodes)

Leaving access to an open shell is certainly bad enough - beyond question.
The question is whether gaining direct access to a running session and random open clients (and leaving the stage untraced) is more valuable and thus worth pretection.


> And, oh, the attacker can change the user's password!
Errhemmm... Without providing the present one?
/That/ trick you gotta show me. =)


More information about the kde-core-devel mailing list