[Konsole-devel] KDE 4 Konsole DBus works -- security objections, privilege escalation possible (retracted)

Lars Doelle lars.doelle at on-line.de
Wed May 6 12:15:11 UTC 2009


> It doesn't prevent anything. Let's assume the case you explained before
> (an attacker could execute arbitrary code on the local machine). So he
> could still create a new malicous profile and execute it with
> newSession() or just wait until you spawn a new tab. If I'd exploit your
> local machine by adding a new default profile for your KDE konsole with
> this command:
> echo 'alias su="echo 'owned'"' >> ~/.bashrc && bash

You're right, Arno. If you have the admin's user account, you almost certainly
have the system. My concerns are indefensible and I retract them. Sorry for
the hassle.

> Just to give you an idea:
> arno at snowball:~$ wc -l .ssh/known_hosts
> 957 .ssh/known_hosts

Nice. And all Debian boxes? This leaves me wondering, that deployment
software e.g. FAI, m32, is still not suited to manage massive upgrades.


More information about the konsole-devel mailing list