Review Request 126115: Unset environment variables before starting kwin_wayland

Matthias Klumpp matthias at tenstral.net
Thu Nov 19 17:31:09 UTC 2015


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://git.reviewboard.kde.org/r/126115/#review88620
-----------------------------------------------------------


Okay, I talked to some GNOME people (thanks!) to find out how they handle this issue, and the short answer is: Not at all
Reason for that is that it is really hard to fully secure the compositor if we allow apps to arbitrarily write to config files in HOME.
For example, one process might start to ptrace kwin, catching all input sent through it. Or someone might install a malicious KWin script. Or the bad app might install a .desktop file override in .local/share/applications overriding e.g. Firefox and then catching all the input. Etc.
Also, if the attacker went this far, they already have access to all files in the home directory and likely have reached their goal already.

So, I think we can get KWin secure by adding some really heavy countermeasures (restricting it's access to $HOME, using a setgid bit on it's binary, ...) the question is: Is this effort worth it?

- Matthias Klumpp


On Nov. 19, 2015, 12:22 nachm., Martin Gräßlin wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://git.reviewboard.kde.org/r/126115/
> -----------------------------------------------------------
> 
> (Updated Nov. 19, 2015, 12:22 nachm.)
> 
> 
> Review request for Plasma, David Edmundson and Matthias Klumpp.
> 
> 
> Repository: plasma-workspace
> 
> 
> Description
> -------
> 
> Any environment variable which can be used to specify a path to a
> binary object to be loaded in the KWin process bears the risk of
> being abused to add code to KWin to perform as a key logger.
> 
> E.g. an env variable pointing QT_PLUGIN_PATH to a location in $HOME
> and adjusting QT_STYLE_OVERRIDE to load a specific QStyle plugin from
> that location would allow to easily log all keys without KWin noticing.
> 
> As env variables can be specified in scripts sourced before the session
> starts there is not much KWin can do about that to protect itself.
> 
> This affects all the LD_* variables and any library KWin uses and
> loads plugins.
> 
> The list here is based on what I could find:
> * LD_* variables as specified in the man page
> * LIBGL_* and EGL_* as specified on mesa page
> * QT_* variables based on "git grep qgetenv" in qtbase and qtdeclarative
>   combined with Qt's documentation
> * "git grep getenv" in various KDE frameworks based on ldd output of KWin
> 
> Unfortunately the list is unlikely to be complete. If one env variable is
> missed, there is a risk. Even more each change in any library might
> introduce new variables.
> 
> The approach is futile, but needed till Linux has a secure way to start
> the session without sourcing env variable scripts from user owned
> locations.
> 
> 
> Diffs
> -----
> 
>   startkde/startplasmacompositor.cmake 1e46e5be0a0d733fb01e1a87a34ee3c73a06bf8c 
> 
> Diff: https://git.reviewboard.kde.org/r/126115/diff/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Martin Gräßlin
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/plasma-devel/attachments/20151119/98389bca/attachment.html>


More information about the Plasma-devel mailing list