Review Request 126102: [startkde] Move sourceing of env scripts to startplasma

Martin Gräßlin mgraesslin at kde.org
Wed Nov 18 15:35:52 UTC 2015 


> On Nov. 18, 2015, 3:57 p.m., Matthias Klumpp wrote:
> > It just wanted to write what David wrote ;-)
> > Maybe a way to resolve this is to filter environment variables in KWin or before starting KWin, so anything pointing to directories in $HOME gets stripped away (unsetting LD_* variables might also be part of that).
> 
> Martin Gräßlin wrote:
>     well that are many possible variables and it might be a terrible catch up game with any new variable Qt includes. It at least would affect:
>     - LD_LIBRARY_PATH
>     - QT_PLUGIN_PATH
>     - PATH
>     - LD_PRELOAD (see general LD_PRELOAD Wayland keylogger hack)
>     - some QML variables which I don't know right now
>     - anything else I don't remember right now
>     - any aliases (one could do alias kwin_wayland="something evil"
>     - any bash functions.
>     
>     Ideally there just shouldn't be any scripts sourced before kwin gets started
> 
> Matthias Klumpp wrote:
>     I was thinking more of an "unset all => set what's needed" workflow. Aliases can be worked around by giving absolute paths in the script.
>     Still, it isn't nice and unfortunately some of those scripts need to be sourced because of $HISTORIC_REASON or simply because users expect it, or - in case of .pam_environment - because it's a global distro default.
>     The only way around that would be starting KWin before SDDM starts (which would have it's own problems, as far as I can see).
>     Meh :-/

> The only way around that would be starting KWin before SDDM starts

nope, wouldn't be a solution as KWin needs to run in user session.

so, yeah maybe just unsetting all variables after the sourcing of the scripts. Might break my workflow, but well ;-)


- Martin


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://git.reviewboard.kde.org/r/126102/#review88528
-----------------------------------------------------------


On Nov. 18, 2015, 9:18 a.m., Martin Gräßlin wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://git.reviewboard.kde.org/r/126102/
> -----------------------------------------------------------
> 
> (Updated Nov. 18, 2015, 9:18 a.m.)
> 
> 
> Review request for Plasma.
> 
> 
> Repository: plasma-workspace
> 
> 
> Description
> -------
> 
> This change makes sure that the environment scripts are not sourced
> before KWin is started. No user installed scripts are allowed to modify
> KWin's environment as that opens an attack vector.
> 
> For example any binary plugin loaded into KWin (be it QStyle, QPT plugin,
> etc.) is able to become a key logger. If the env variables were allowed
> to be sourced before KWin is started a malicious application run as user
> (e.g. exploiting browser vulnerability) would be able to install a key
> logger. Required steps:
> 1. install a malicious QStyle plugin somewhere in $HOME
> 2. place a script in env to adjust variables to load the QStyle plugin
> 
> This would be enough to have a key logger on next login.
> 
> Given that the startup of KWin must not be affected by any scripts
> owned by user prior to startup.
> 
> The env scripts are now sourced as first step of startplasma, so
> for applications in the session there is no difference.
> 
> 
> Diffs
> -----
> 
>   startkde/startplasma.cmake 8360a636d3f68c957a15158484360a611cfe3ff8 
>   startkde/startplasmacompositor.cmake 8b5db615142455fd360c66504fc5d5a7754a029c 
> 
> Diff: https://git.reviewboard.kde.org/r/126102/diff/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Martin Gräßlin
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/plasma-devel/attachments/20151118/76c229de/attachment-0001.html>

More information about the Plasma-devel mailing list