KDE Wallet Manager: Once a wallet is open an application has access to all passwords there?

[Jonathan Verner]

> It would seem obvious that the sandboxing would prevent it from connecting
> to dbus as well in that case. 

It would? Did you check? A sandbox can be configured so that an application is 
only able to connect to a specified dbus endpoint.

> I don't know, but I assume it is because of the case of losing your laptop,
> and not encrypting your home partition.

The question is: why do we bother preventing this particular threat while 
ignoring other threats. Paraphrasing your previous argument, when your laptop
gets stolen, you have much bigger issues than the thief being able to maybe 
access your kwallet.

> I really don't see what you're trying to achieve.

No offence, but the problem, it seems to me, is that you _know_ that whatever 
I'm trying to achieve is stupid. That might in fact be true, but I don't see 
this discussion convincing either of us, so we might as well stop wasting our 
time :-)


J.V.


Dne Čt 26. prosince 2013 19:02:53, Martin Sandsmark napsal(a):
> On Thu, Dec 26, 2013 at 12:45:21AM +0100, Jonathan Verner wrote:
> > Yes, of course, ... This too can be protected against, especially in the
> > scenario where the exploited application is sandboxed
> > (e.g. explicitly via apparmor profiles, selinux scrubs LD_PRELOAD &
> > friends
> > when transitioning between domains by default, ...).
> 
> It would seem obvious that the sandboxing would prevent it from connecting
> to dbus as well in that case. I really don't see what you're trying to
> achieve.
> > Sure... Why do we bother with encrypting the passwords at all, then? We
> > might as well store them in a world-readable plaintext file named
> > passwords.txt,
> I don't know, but I assume it is because of the case of losing your laptop,
> and not encrypting your home partition.
> 
> > and, for good measure, expose them to anyone who asks on port 80.
> 
> Now you're just being obtuse.