Current security issues with KAuth support in KIO
Fabian Vogt
fabian at ritter-vogt.de
Mon Feb 5 08:13:29 UTC 2018
Hi,
Am Sonntag, 4. Februar 2018, 23:47:26 CET schrieb Albert Astals Cid:
> So we're having KF5 5.43 next week, has this been figured out?
not quite, but it's on the right track (unlikely for 5.43 though). See below.
Cheers,
Fabian
> I find this thread ended too open ended for my taste.
>
> Cheers,
> Albert
>
> El dissabte, 13 de gener de 2018, a les 23:55:16 CET, Luca Beltrame va
> escriure:
> > (please keep Fabian in CC, he's not subscribed and found out most of the
> > issues reported here)
> >
> > At openSUSE we have to request reviews by the security team before
> > new polkit services get accepted. This is the case for the kio kauth helper
> > as well.
> > While the security team raised concerns with the wide capabilities of the
> > helper (it can easily be used to do literally everything), we had a look at
> > the implementation itself to find some obvious security issues:
> >
> > - The privilege is persistent for the entire session (already fixed).
Not fixed, needs some rework.
> > - The confirmation prompt for the kauth action use does not tell what is
> > going to happen. So you might open a file dialog and then instead of
> > opening a file, write to /bin/sh.
Not fixed, probably needs some changes in KAuth or at the very least splitting
the current action into multiple ones.
> > - Trivial stack-based buffer overflow in the kauth helper:
> > https://cgit.kde.org/kio.git/tree/src/ioslaves/file/sharefd_p.h#n57
Fixed.
> > - The socket used to send and receive file descriptors does not have any
> > kind of permission check. You can easily send fds to and receive fds from
> > users of the kauth helper on the same machine.
Fixed.
> > (BTW,
> > SocketAddress::length should return the actual length of the buffer,
> > currently it adds ~100 '\0' bytes to the end)
Fixed.
> >
> > In its current state we can not recommend anyone to enable this.
> > However, we hope that those issues can be addressed, it does provide some
> > useful functionality.
> >
> > Luca Beltrame
> > on behalf of the openSUSE KDE Team
>
>
>
>
>
More information about the Kde-frameworks-devel
mailing list