Suggestion to Remove KFloppy and hold back K3b

Martin Gräßlin mgraesslin at kde.org
Wed Feb 22 21:01:01 UTC 2017 

Am 2017-02-22 20:18, schrieb Wolfgang Bauer:
> Am Dienstag, 21. Februar 2017, 18:55:00 schrieb Nicolás Alvarez:
>> > On Feb 15, 2017, at 17:58, Wolfgang Bauer <wbauer at tmo.at> wrote:
>> >
>> > Am Mittwoch, 15. Februar 2017, 22:21:19 schrieb Martin Gräßlin:
>> >> Please do not consider starting a GUI application as root a possibility.
>> >
>> > Ok, but partitionmanager does exactly that. It restarts itself as root if
>> > run as user.
>> > So that instantly would rule out partionmanager as a proposed replacement,
>> > I suppose.
>> >
>> > But KFloppy is quite a simple application.
>> > There should not really be a special risk involved running it as root, but
>> > I might be mistaken there.
>> 
>> Sounds like you're challenging Martin to write a take-over-machine 
>> exploit
>> via root KFloppy, and I would bet money that he would succeed ;)
> 
> No, I don't.
> 
> I just meant to say that the attack surface is smaller that for 
> (certain)
> other applications.

The attack surface is exactly the same as any other X application. It's 
X itself which will make this exploitable.

> You definitely cannot open a root konsole and run arbitrary commands as 
> root
> by just sending fake key presses to kfloppy... ;)

That was just the trivial case and not even an exploit. It was all pure 
X protocol.

An exploit would be to use a string parsing bug in Qt/xcb to trigger a 
crash in KFloppy. And all I need for that is:
* a fuzzer
* a window opening as root

We just need to accept that opening a root window means we are owned. 
Yes, sounds bad. Yes, no known exploits in the wild. Yes, I'm sure it's 
not just a theoretical threat. I got hundreds of bug reports (#361236) 
the last year of KWin crashing in Qt's string handling most likely from 
a window property. So to me it's a definite truth that there are 
exploitable window property to string vulnerabilities when run as root. 
That's also why KWin/Wayland is not root, but user.

> 
> But please.
> I already wrote that restarting the application as root was just one 
> idea to
> work around permission problems. (I even mentioned using kauth as 
> option too
> in my first mail, and that's what I'll try to implement...)
> And to repeat: I already dropped that idea completely.
> 
> So I don't see a point in continuing the discussion about this here.

I answered nevertheless, because I think it's important for all devs to 
understand that connecting to X11 as root means a risk to their users 
and that there is nothing their application can do to protect against 
it.

Cheers
Martin

More information about the release-team mailing list