[kio] src/ioslaves/file/kauth: Do not cache root password for the whole session
Luca Beltrame
lbeltrame at kde.org
Sat Jan 13 10:59:44 UTC 2018
Il giorno Fri, 12 Jan 2018 19:10:07 +0530
chinmoy ranjan <chinmoyrp65 at gmail.com> ha scritto:
> Persistence =session or always both are same and will cache the
> password for 5 mins.
I'll do another check by adjusting again the persistence. However I'm
still not sure about caching passwords in file operations. KIO can do
almost anything (unlike the other KCMs which use KAuth, for example) at
the file level, so one would be possibly able to do things in the time
the password is cached (e.g., copy /etc/passwd, etc).
I mean in the time the first operation has been done, but the password
is already cached.
Note that I don't question the need for this: it is a *must* for things
working as elevated users in Wayland.
> TBH I can't see how any application will bypass the prompt. Maybe I am
> wrong. Can you elaborate on the potential risks?
See above for a scenario. The main reason I'm being so cautious is that
distributions will have to ensure this is safe from a security point of
view (and at least for the one I contribute to, some KAuth usage has
come under fire in the past - sometimes with merit, sometimes not, but
it happened).
More information about the Kde-frameworks-devel
mailing list