Review Request 126115: Unset environment variables before starting kwin_wayland

Martin Gräßlin mgraesslin at kde.org
Thu Nov 19 14:55:03 UTC 2015 


> On Nov. 19, 2015, 3:08 p.m., Matthias Klumpp wrote:
> > Did you consider running the whole script with `env -i`, or (likely the better idea) run KWin with `env -i`?
> > That should sanitize the environment (unset all env vars, except for shell-defaults). You could then set exactly the variables you need, to the exact values you want, so we don't miss unsetting anything.
> 
> Martin Gräßlin wrote:
>     No I didn't consider that, because I wasn't aware that this exists.
> 
> Martin Gräßlin wrote:
>     Just tried with changing directly in the wayland session file. That doesn't work at all. I think the main problem is that I lose important env variables related to the logind session/dbus, etc.
>     
>     So only way would be for the command to start kwin_wayland. But that as well would require to set quite an amount of env variables, but worth a try.

Just gave a try - the command looks horrible, but I got the session started and env variables are properly filtered.

Command looks like this now:
    /usr/bin/env -i KDE_FULL_SESSION=true KDE_SESSION_VERSION=5 KDE_SESSION_UID=${KDE_SESSION_UID} XDG_CURRENT_DESKTOP=KDE QT_QPA_PLATFORM=wayland PAM_KWALLET5_LOGIN=${PAM_KWALLET5_LOGIN} USER=${USER} LANGUAGE=${LANGUAGE} XDG_SEAT=${XDG_SEAT} XDG_SESSION_TYPE=${XDG_SESSION_TYPE} XCURSOR_SIZE=${XCURSOR_SIZE} HOME=${HOME} DESKTOP_SESSION=${DESKTOP_SESSION} XDG_SEAT_PATH=${XDG_SEAT_PATH} DBUS_SESSION_BUS_ADDRESS=${DBUS_SESSION_BUS_ADDRESS} LOGNAME=${LOGNAME} XDG_SESSION_CLASS=${XDG_SESSION_CLASS} XDG_SESSION_ID=${XDG_SESSION_ID} PATH=${PATH} XDG_SESSION_PATH=${XDG_SESSION_PATH} XDG_RUNTIME_DIR=${XDG_RUNTIME_DIR} XCURSOR_THEME=${XCURSOR_THEME} LANG=${LANG} XDG_SESSION_DESKTOP=${XDG_SESSION_DESKTOP} XCURSOR_PATH=${XCURSOR_PATH} XDG_VTNR=${XDG_VTNR} PWD=${PWD} XDG_DATA_DIRS=${XDG_DATA_DIRS} XDG_CONFIG_DIRS=${XDG_CONFIG_DIRS} @KWIN_WAYLAND_BIN_PATH@ --xwayland --libinput --exit-with-session=@CMAKE_INSTALL_FULL_LIBEXECDIR@/startplasma


- Martin


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://git.reviewboard.kde.org/r/126115/#review88597
-----------------------------------------------------------


On Nov. 19, 2015, 1:22 p.m., Martin Gräßlin wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://git.reviewboard.kde.org/r/126115/
> -----------------------------------------------------------
> 
> (Updated Nov. 19, 2015, 1:22 p.m.)
> 
> 
> Review request for Plasma, David Edmundson and Matthias Klumpp.
> 
> 
> Repository: plasma-workspace
> 
> 
> Description
> -------
> 
> Any environment variable which can be used to specify a path to a
> binary object to be loaded in the KWin process bears the risk of
> being abused to add code to KWin to perform as a key logger.
> 
> E.g. an env variable pointing QT_PLUGIN_PATH to a location in $HOME
> and adjusting QT_STYLE_OVERRIDE to load a specific QStyle plugin from
> that location would allow to easily log all keys without KWin noticing.
> 
> As env variables can be specified in scripts sourced before the session
> starts there is not much KWin can do about that to protect itself.
> 
> This affects all the LD_* variables and any library KWin uses and
> loads plugins.
> 
> The list here is based on what I could find:
> * LD_* variables as specified in the man page
> * LIBGL_* and EGL_* as specified on mesa page
> * QT_* variables based on "git grep qgetenv" in qtbase and qtdeclarative
>   combined with Qt's documentation
> * "git grep getenv" in various KDE frameworks based on ldd output of KWin
> 
> Unfortunately the list is unlikely to be complete. If one env variable is
> missed, there is a risk. Even more each change in any library might
> introduce new variables.
> 
> The approach is futile, but needed till Linux has a secure way to start
> the session without sourcing env variable scripts from user owned
> locations.
> 
> 
> Diffs
> -----
> 
>   startkde/startplasmacompositor.cmake 1e46e5be0a0d733fb01e1a87a34ee3c73a06bf8c 
> 
> Diff: https://git.reviewboard.kde.org/r/126115/diff/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Martin Gräßlin
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/plasma-devel/attachments/20151119/1530d826/attachment-0001.html>

More information about the Plasma-devel mailing list