----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://git.reviewboard.kde.org/r/126102/#review88525 -----------------------------------------------------------
won't make a difference, SDDM sources a tonne before we get to you. - David Edmundson On Nov. 18, 2015, 8:18 a.m., Martin Gräßlin wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://git.reviewboard.kde.org/r/126102/ > ----------------------------------------------------------- > > (Updated Nov. 18, 2015, 8:18 a.m.) > > > Review request for Plasma. > > > Repository: plasma-workspace > > > Description > ------- > > This change makes sure that the environment scripts are not sourced > before KWin is started. No user installed scripts are allowed to modify > KWin's environment as that opens an attack vector. > > For example any binary plugin loaded into KWin (be it QStyle, QPT plugin, > etc.) is able to become a key logger. If the env variables were allowed > to be sourced before KWin is started a malicious application run as user > (e.g. exploiting browser vulnerability) would be able to install a key > logger. Required steps: > 1. install a malicious QStyle plugin somewhere in $HOME > 2. place a script in env to adjust variables to load the QStyle plugin > > This would be enough to have a key logger on next login. > > Given that the startup of KWin must not be affected by any scripts > owned by user prior to startup. > > The env scripts are now sourced as first step of startplasma, so > for applications in the session there is no difference. > > > Diffs > ----- > > startkde/startplasma.cmake 8360a636d3f68c957a15158484360a611cfe3ff8 > startkde/startplasmacompositor.cmake > 8b5db615142455fd360c66504fc5d5a7754a029c > > Diff: https://git.reviewboard.kde.org/r/126102/diff/ > > > Testing > ------- > > > Thanks, > > Martin Gräßlin > >
_______________________________________________ Plasma-devel mailing list Plasma-devel@kde.org https://mail.kde.org/mailman/listinfo/plasma-devel