[Konsole-devel] KDE 4 Konsole DBus works -- security objections, privilege escalation possible

[Arno Töll]

Lars Doelle wrote:
> if i read the patch from 3/1/09 right, it allows to simulate keystrokes remotely.
It does, true. This is however a feature, that already existed since KDE
3 days with DCOP. The whole DBus Interface is pretty much useless
without this method, since only that allows to "script" a konsole
session. This is therefore the most notable feature of konsole's DBus
interface. Whe should discuss the term "remotely" however - konsole
attaches itself to the session bus, where upstream just the local user
has access this interface. So there is no way to gain access through a
remote machine e.g. by using TCP or such. The session bus is just a
local Unix Domain Socket only accesible by the user runnig the KDE session.

I wouldn't consider this as a (real) security issue though, since it
requires an local user wich deliberately executes a malicious
script/programm to do something harmful. This is the same issue for
_every_ executable being run by the user. I don't see why it should be
more dangerous to allow an user to send commands through a method to a
shell, against executing execve(1) syscalls or anything else that can be
run from a shell effectively granting the same privileges.

Or to say it different: why should anybody care about a DBus method,
when allowed to execute own code on the local machine anyway?

I agree however, there are potential issues when having local and/or
remote sessions of shells with different privileges. But again: still
you have to run malicious code by the user's will, and I don't think
that we should consider this as one of konsole's problems just because
the fact that konsole _allows_ different security contexts (which is
essential for a shell I guess). You wouldn't either blame SSH insthead
of the user using it, just because it _allows_ root logins?