KDE Wallet Manager: Once a wallet is open an application has access to all passwords there?

Jonathan Verner jonathan.verner at matfyz.cz
Thu Nov 14 14:32:20 UTC 2013 

Hi,

thanks for your comments!

> 1. An executable path may not be the safest way to ensure the validity of a program. maybe a signed executable can do so in a better way, but this is a much more complicated way, especially because there must be someone who signs applications for you.

sure, it is not completely safe; but I don't think it is the responsibility of a
password manager to guard against tampered executables; and, signed
executables are not the panacea anyway, since they still may have bugs
allowing them to execute malicious code; note also that the app-armor
security framework relies on
paths to identify executables so I wouldn't dismiss the approach so easily

> 2. What if a binary moves? does this cause the loss of all stored passwords? That means you need at least an abstraction layer that can map a executable to an unique id.

I don't think this is such a big problem. Most binaries (think
browser, mail application) are system binaries which rarely, if ever,
move. And if they move, all that will be required is that the user
manually grant access to these moved binaries when they try to access
the passwords

> Anyway: I think it is very important to think about this. The current situation is very unsafe. i think nobody can ensure that the every part of his system works as expected.

I think so too. Luckily, kde is not (yet) popular enough for it to
attract malware authors ;-) But I think we should prepare...

Have a nice day,

Jonathan


2013/11/13 Till Schäfer <till2.schaefer at tu-dortmund.de>
>
> Hi,
> that solution seems to introduce a lot of new trouble:
>
> 1. An executable path may not be the safest way to ensure the validity of a program. maybe a signed executable can do so in a better way, but this is a much more complicated way, especially because there must be someone who signs applications for you.
> 2. What if a binary moves? does this cause the loss of all stored passwords? That means you need at least an abstraction layer that can map a executable to an unique id.
>
> Anyway: I think it is very important to think about this. The current situation is very unsafe. i think nobody can ensure that the every part of his system works as expected.
>
> Greetings
> Till
>
> Am Mittwoch, 13. November 2013, 19:21:46 schrieb Jonathan Verner:
> > This problem has been bugging me too and I don't think that it should
> > be dismissed so easily. Suppose malware started being more common on
> > linux. Then a malware author would find the kde wallet to be a treasure
> > trove. Of course, one could keep the wallet locked at all times and enter the
> > password whenever an application needed access, but that (in my opinion)
> > kind of defeats the purpose.
> >
> > When I was originally thinking about this problem, the wallet was accessed
> > directly by each application (if I understood correctly) which meant that
> > there was no way to prevent an application to access whatever it wanted.
> >
> > However, now that the wallet is accessed over D-Bus (if I understand
> > correctly) and that D-Bus supports getting the process ID of the connecting
> > side (at least on UNIX there is the function
> > dbus_connection_get_unix_process_id) the access to a given folder could
> > be granted based on the executable file (/proc/PID/exe) of the requesting
> > process. This should prevent local unprivileged attacks. An attacker
> > with rw access to, e.g. /usr/bin, would still get the passwords, of course.
> >
> > Is there something I am missing or would this be feasible?
> >
> > Jonathan Verner
> >
> >
> > On 13. 11. 2013 FF <fafisfriend at ya.com> wrote:
> > > Thanks, Eike, for your time and explanation.
> > >
> > > But I do not feel any better. The thing is that, e.g., I do not want
> > > Netbeans accessing my Kontact related passwords.
> > >
> > > For the moment I have seen that I can use two wallets (KDE System Settings
> > > -> Account Details -> KDE Wallet) and now I have separated both worlds.
> > >
> > > Maybe having a wallet for each sofware vendor would sould safer...
> > _______________________________________________
> > Kde-utils-devel mailing list
> > Kde-utils-devel at kde.org
> > https://mail.kde.org/mailman/listinfo/kde-utils-devel
> >
> --
> pgp: https://keyserver2.pgp.com/vkd/SubmitSearch.event?&&SearchCriteria=0xD84DED79
> _______________________________________________
> Kde-utils-devel mailing list
> Kde-utils-devel at kde.org
> https://mail.kde.org/mailman/listinfo/kde-utils-devel
>

More information about the Kde-utils-devel mailing list