KDE Wallet Manager: Once a wallet is open an application has access to all passwords there?

Jonathan Verner jonathan.verner at matfyz.cz
Wed Dec 25 21:26:58 UTC 2013 

> That would be entirely irrelevant, as the malware could just inject itself
> into any of your processes.

I don't think that would be the case. The only way I know of 'injecting' into 
other processes is ptrace (unless, of course, you have full root permissions). 
On ubuntu, at least, ptracing is restricted to descendant processes by default 
and can be restricted on a per-process basis via a syscall.

> If you manage to run malware in your linux machine you have much bigger
> issues than it being able to maybe connect to KWallet.

I am not so sure. Actually, for malware authors, I think my kwallet would be 
the most interesting target on my laptop.

Moreover, I think that running malware in linux is not an 'if' question but a 
'when' question. And I'd like to be prepared. One interesting direction is the 
possibility to run sandboxed applications. As the situation
stands, this is not possible with kwallet. (Securely) allowing wallet access 
based on applications would be a step in this direction.

I am thinking of looking into implementing this, but I would not want to waste 
my time in case people were not interested. Also, is there some evident reason
why this would not work?

Best,

Jonathan


Dne Út 24. prosince 2013 15:31:33, Martin Sandsmark napsal(a):
> On Wednesday 13 November 2013 19:21:46 Jonathan Verner wrote:
> > This problem has been bugging me too and I don't think that it should
> > be dismissed so easily. Suppose malware started being more common on
> > linux. Then a malware author would find the kde wallet to be a treasure
> > trove. Of course, one could keep the wallet locked at all times and enter
> > the password whenever an application needed access, but that (in my
> > opinion) kind of defeats the purpose.
> 
> That would be entirely irrelevant, as the malware could just inject itself
> into any of your processes.
> 
> If you manage to run malware in your linux machine you have much bigger
> issues than it being able to maybe connect to KWallet.

More information about the Kde-utils-devel mailing list