On sabato 13 gennaio 2018 23:55:16 CET, Luca Beltrame wrote:
(please keep Fabian in CC, he's not subscribed and found out most of the
issues reported here)
At openSUSE we have to request reviews by the security team before
new polkit services get accepted. This is the case for the kio
kauth helper as
well.
While the security team raised concerns with the wide capabilities of the
helper (it can easily be used to do literally everything), we had a look at
the implementation itself to find some obvious security issues:
- The privilege is persistent for the entire session
No, it's not. Despite the name, 'Persistence=session' just means the
privilege is kept for a few minutes.
(already fixed).
Why 029da62886e0 was committed without code review?
- The confirmation prompt for the kauth action use does not
tell what is going
to happen. So you might open a file dialog and then instead of opening a
file, write to /bin/sh.
- Trivial stack-based buffer overflow in the kauth helper:
https://cgit.kde.org/kio.git/tree/src/ioslaves/file/sharefd_p.h#n57
- The socket used to send and receive file descriptors does not
have any kind
of permission check. You can easily send fds to and receive fds
from users of
the kauth helper on the same machine. (BTW, SocketAddress::length should
return the actual length of the buffer, currently it adds ~100
'\0' bytes to
the end)
In its current state we can not recommend anyone to enable this.
However, we hope that those issues can be addressed, it does provide some
useful functionality.
Is someone already working on fixes for the above issues?
Luca Beltrame
on behalf of the openSUSE KDE Team
Cheers,
Elvis
