Review Request 126115: Unset environment variables before starting kwin_wayland

Matthias Klumpp matthias at tenstral.net
Thu Nov 19 19:56:26 UTC 2015 


> On Nov. 19, 2015, 5:31 nachm., Matthias Klumpp wrote:
> > Okay, I talked to some GNOME people (thanks!) to find out how they handle this issue, and the short answer is: Not at all
> > Reason for that is that it is really hard to fully secure the compositor if we allow apps to arbitrarily write to config files in HOME.
> > For example, one process might start to ptrace kwin, catching all input sent through it. Or someone might install a malicious KWin script. Or the bad app might install a .desktop file override in .local/share/applications overriding e.g. Firefox and then catching all the input. Etc.
> > Also, if the attacker went this far, they already have access to all files in the home directory and likely have reached their goal already.
> > 
> > So, I think we can get KWin secure by adding some really heavy countermeasures (restricting it's access to $HOME, using a setgid bit on it's binary, ...) the question is: Is this effort worth it?
> 
> Martin Gräßlin wrote:
>     Thanks for asking.
>     
>     > Not at all
>     
>     I already feared that this would be the answer
>     
>     > if we allow apps to arbitrarily write to config files in HOME.
>     
>     I don't think this is an issue in the case of KWin.
>     
>     > ptrace kwin
>     
>     At least on Ubuntu one needs to be root to e.g. attach gdb to the process. Might be an idea to get this into all distros.
>     
>     > Or someone might install a malicious KWin script
>     
>     KWin scripts are fine (both QScript based scripts and effects). QML based scripts are problematic at the moment (will be hardened). QML based decorations (and decorations in general) are not a problem. I spent quite some time thinking about what is dangerous in KWin and what isn't ;-)
>     
>     > Or the bad app might install a .desktop file override in .local/share/applications overriding e.g. Firefox and then catching all the input.
>     
>     That's obvious, but our launcher got hardened against such things years ago (see https://www.purinchu.net/wp/2009/02/21/desktop-file-security/ )
>     
>     > they already have access to all files in the home directory and likely have reached their goal already
>     
>     I disagree on that. This was the approach on X - hey we don't have to do security, because heck X is broken anyway. I really think we should prevent the keylogger scenario.
>     
>     > Is this effort worth it?
>     
>     Yes, if it makes it impossible to get a keylogger it's worth it.

> Yes, if it makes it impossible to get a keylogger it's worth it.

I figured you'd say that :-D
So, I think the `env -i` workaround is something reasonable to do - given how things look currently, I'd say commit it and we'll see what breaks - changes can always be reverted, if they prove to result in more problems than expected.

I bet things like SELinux will prevent ptrace on distros using it as well, if they don't already have other countermeasures.
Having looked at KDE/Plasma startup *again*, I am really itching to pursue the startup refactoring further (rough idea is to get rid of kwrapper5, kinit, ksmserver and the shell scripts and have one service managing the whole session). That unfortunately has to wait until I have more time for it...


- Matthias


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://git.reviewboard.kde.org/r/126115/#review88620
-----------------------------------------------------------


On Nov. 19, 2015, 12:22 nachm., Martin Gräßlin wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://git.reviewboard.kde.org/r/126115/
> -----------------------------------------------------------
> 
> (Updated Nov. 19, 2015, 12:22 nachm.)
> 
> 
> Review request for Plasma, David Edmundson and Matthias Klumpp.
> 
> 
> Repository: plasma-workspace
> 
> 
> Description
> -------
> 
> Any environment variable which can be used to specify a path to a
> binary object to be loaded in the KWin process bears the risk of
> being abused to add code to KWin to perform as a key logger.
> 
> E.g. an env variable pointing QT_PLUGIN_PATH to a location in $HOME
> and adjusting QT_STYLE_OVERRIDE to load a specific QStyle plugin from
> that location would allow to easily log all keys without KWin noticing.
> 
> As env variables can be specified in scripts sourced before the session
> starts there is not much KWin can do about that to protect itself.
> 
> This affects all the LD_* variables and any library KWin uses and
> loads plugins.
> 
> The list here is based on what I could find:
> * LD_* variables as specified in the man page
> * LIBGL_* and EGL_* as specified on mesa page
> * QT_* variables based on "git grep qgetenv" in qtbase and qtdeclarative
>   combined with Qt's documentation
> * "git grep getenv" in various KDE frameworks based on ldd output of KWin
> 
> Unfortunately the list is unlikely to be complete. If one env variable is
> missed, there is a risk. Even more each change in any library might
> introduce new variables.
> 
> The approach is futile, but needed till Linux has a secure way to start
> the session without sourcing env variable scripts from user owned
> locations.
> 
> 
> Diffs
> -----
> 
>   startkde/startplasmacompositor.cmake 1e46e5be0a0d733fb01e1a87a34ee3c73a06bf8c 
> 
> Diff: https://git.reviewboard.kde.org/r/126115/diff/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Martin Gräßlin
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/plasma-devel/attachments/20151119/88eab938/attachment-0001.html>

More information about the Plasma-devel mailing list