Suggestion to Remove KFloppy and hold back K3b
Martin Gräßlin
mgraesslin at kde.org
Wed Feb 22 21:01:01 UTC 2017
Am 2017-02-22 20:18, schrieb Wolfgang Bauer:
> Am Dienstag, 21. Februar 2017, 18:55:00 schrieb Nicolás Alvarez:
>> > On Feb 15, 2017, at 17:58, Wolfgang Bauer <wbauer at tmo.at> wrote:
>> >
>> > Am Mittwoch, 15. Februar 2017, 22:21:19 schrieb Martin Gräßlin:
>> >> Please do not consider starting a GUI application as root a possibility.
>> >
>> > Ok, but partitionmanager does exactly that. It restarts itself as root if
>> > run as user.
>> > So that instantly would rule out partionmanager as a proposed replacement,
>> > I suppose.
>> >
>> > But KFloppy is quite a simple application.
>> > There should not really be a special risk involved running it as root, but
>> > I might be mistaken there.
>>
>> Sounds like you're challenging Martin to write a take-over-machine
>> exploit
>> via root KFloppy, and I would bet money that he would succeed ;)
>
> No, I don't.
>
> I just meant to say that the attack surface is smaller that for
> (certain)
> other applications.
The attack surface is exactly the same as any other X application. It's
X itself which will make this exploitable.
> You definitely cannot open a root konsole and run arbitrary commands as
> root
> by just sending fake key presses to kfloppy... ;)
That was just the trivial case and not even an exploit. It was all pure
X protocol.
An exploit would be to use a string parsing bug in Qt/xcb to trigger a
crash in KFloppy. And all I need for that is:
* a fuzzer
* a window opening as root
We just need to accept that opening a root window means we are owned.
Yes, sounds bad. Yes, no known exploits in the wild. Yes, I'm sure it's
not just a theoretical threat. I got hundreds of bug reports (#361236)
the last year of KWin crashing in Qt's string handling most likely from
a window property. So to me it's a definite truth that there are
exploitable window property to string vulnerabilities when run as root.
That's also why KWin/Wayland is not root, but user.
>
> But please.
> I already wrote that restarting the application as root was just one
> idea to
> work around permission problems. (I even mentioned using kauth as
> option too
> in my first mail, and that's what I'll try to implement...)
> And to repeat: I already dropped that idea completely.
>
> So I don't see a point in continuing the discussion about this here.
I answered nevertheless, because I think it's important for all devs to
understand that connecting to X11 as root means a risk to their users
and that there is nothing their application can do to protect against
it.
Cheers
Martin
More information about the release-team
mailing list