Review Request 126102: [startkde] Move sourceing of env scripts to startplasma

Matthias Klumpp matthias at tenstral.net
Wed Nov 18 15:30:30 UTC 2015



> On Nov. 18, 2015, 2:57 nachm., Matthias Klumpp wrote:
> > It just wanted to write what David wrote ;-)
> > Maybe a way to resolve this is to filter environment variables in KWin or before starting KWin, so anything pointing to directories in $HOME gets stripped away (unsetting LD_* variables might also be part of that).
> 
> Martin Gräßlin wrote:
>     well that are many possible variables and it might be a terrible catch up game with any new variable Qt includes. It at least would affect:
>     - LD_LIBRARY_PATH
>     - QT_PLUGIN_PATH
>     - PATH
>     - LD_PRELOAD (see general LD_PRELOAD Wayland keylogger hack)
>     - some QML variables which I don't know right now
>     - anything else I don't remember right now
>     - any aliases (one could do alias kwin_wayland="something evil"
>     - any bash functions.
>     
>     Ideally there just shouldn't be any scripts sourced before kwin gets started

I was thinking more of an "unset all => set what's needed" workflow. Aliases can be worked around by giving absolute paths in the script.
Still, it isn't nice and unfortunately some of those scripts need to be sourced because of $HISTORIC_REASON or simply because users expect it, or - in case of .pam_environment - because it's a global distro default.
The only way around that would be starting KWin before SDDM starts (which would have it's own problems, as far as I can see).
Meh :-/


- Matthias


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://git.reviewboard.kde.org/r/126102/#review88528
-----------------------------------------------------------


On Nov. 18, 2015, 8:18 vorm., Martin Gräßlin wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://git.reviewboard.kde.org/r/126102/
> -----------------------------------------------------------
> 
> (Updated Nov. 18, 2015, 8:18 vorm.)
> 
> 
> Review request for Plasma.
> 
> 
> Repository: plasma-workspace
> 
> 
> Description
> -------
> 
> This change makes sure that the environment scripts are not sourced
> before KWin is started. No user installed scripts are allowed to modify
> KWin's environment as that opens an attack vector.
> 
> For example any binary plugin loaded into KWin (be it QStyle, QPT plugin,
> etc.) is able to become a key logger. If the env variables were allowed
> to be sourced before KWin is started a malicious application run as user
> (e.g. exploiting browser vulnerability) would be able to install a key
> logger. Required steps:
> 1. install a malicious QStyle plugin somewhere in $HOME
> 2. place a script in env to adjust variables to load the QStyle plugin
> 
> This would be enough to have a key logger on next login.
> 
> Given that the startup of KWin must not be affected by any scripts
> owned by user prior to startup.
> 
> The env scripts are now sourced as first step of startplasma, so
> for applications in the session there is no difference.
> 
> 
> Diffs
> -----
> 
>   startkde/startplasma.cmake 8360a636d3f68c957a15158484360a611cfe3ff8 
>   startkde/startplasmacompositor.cmake 8b5db615142455fd360c66504fc5d5a7754a029c 
> 
> Diff: https://git.reviewboard.kde.org/r/126102/diff/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Martin Gräßlin
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/plasma-devel/attachments/20151118/bed87673/attachment.html>


More information about the Plasma-devel mailing list