Review Request 117157: Unlock session via DBus
thomas.luebking at gmail.com
Mon Mar 31 00:43:22 BST 2014
On Montag, 31. März 2014 00:36:29 CEST, Thiago Macieira wrote:
> They can already access all of the other applications
depends on whether they actively suppress such.
> and the user's files.
> They can attach gdb to any of the user processes.
"depends on whether they actively suppress such."
> They can listen to all messages on D-Bus.
> They can attach to any IPC mechanism the user has access
Question is whether applications expose secrets or access to other shells/services via dbus.
Ie. can you highjack an open ssl connection, control banking software etc.
> They can also launch [...] a keylogger
True and if you enter a password into anything that does not grab the keyboard, this is a general issue of X11 (and if you've physical access to the machine, that doesn't matter either, because you can add a cronjob/service to track the device nodes)
Leaving access to an open shell is certainly bad enough - beyond question.
The question is whether gaining direct access to a running session and random open clients (and leaving the stage untraced) is more valuable and thus worth pretection.
> And, oh, the attacker can change the user's password!
Errhemmm... Without providing the present one?
/That/ trick you gotta show me. =)
More information about the kde-core-devel