KDE Wallet Manager: Once a wallet is open an application has access to all passwords there?

Jonathan Verner jonathan.verner at matfyz.cz
Wed Dec 25 23:45:21 UTC 2013


> LD_PRELOAD would be the most obvious.

Yes, of course, ... This too can be protected against, especially in the 
scenario where the exploited application is sandboxed  
(e.g. explicitly via apparmor profiles, selinux scrubs LD_PRELOAD & friends 
when transitioning between domains by default, ...).

> listening on the microphone to analyze keypresses

Sure... Why do we bother with encrypting the passwords at all, then? We might
as well store them in a world-readable plaintext file named passwords.txt, 
and, for good measure, expose them to anyone who asks on port 80.

J.V.

Dne St 25. prosince 2013 23:35:25, Martin Sandsmark napsal(a):
> On Wed, Dec 25, 2013 at 10:26:58PM +0100, Jonathan Verner wrote:
> > I don't think that would be the case. The only way I know of 'injecting'
> > into other processes is ptrace (unless, of course, you have full root
> > permissions). On ubuntu, at least, ptracing is restricted to descendant
> > processes by default and can be restricted on a per-process basis via a
> > syscall.
> 
> LD_PRELOAD would be the most obvious. And I'm no security guy, so there's
> probably more ways, including altering LD_LIBRARY_PATH, tricking with local
> .desktop files, sniffing things going through dbus, sniffing X events,
> listening on the microphone to analyze keypresses, (side-channel attacks are
> awesome), etc.



More information about the Kde-utils-devel mailing list