> On Nov. 18, 2015, 3:57 p.m., Matthias Klumpp wrote: > > It just wanted to write what David wrote ;-) > > Maybe a way to resolve this is to filter environment variables in KWin or > > before starting KWin, so anything pointing to directories in $HOME gets > > stripped away (unsetting LD_* variables might also be part of that). > > Martin Gräßlin wrote: > well that are many possible variables and it might be a terrible catch up > game with any new variable Qt includes. It at least would affect: > - LD_LIBRARY_PATH > - QT_PLUGIN_PATH > - PATH > - LD_PRELOAD (see general LD_PRELOAD Wayland keylogger hack) > - some QML variables which I don't know right now > - anything else I don't remember right now > - any aliases (one could do alias kwin_wayland="something evil" > - any bash functions. > > Ideally there just shouldn't be any scripts sourced before kwin gets > started > > Matthias Klumpp wrote: > I was thinking more of an "unset all => set what's needed" workflow. > Aliases can be worked around by giving absolute paths in the script. > Still, it isn't nice and unfortunately some of those scripts need to be > sourced because of $HISTORIC_REASON or simply because users expect it, or - > in case of .pam_environment - because it's a global distro default. > The only way around that would be starting KWin before SDDM starts (which > would have it's own problems, as far as I can see). > Meh :-/
> The only way around that would be starting KWin before SDDM starts nope, wouldn't be a solution as KWin needs to run in user session. so, yeah maybe just unsetting all variables after the sourcing of the scripts. Might break my workflow, but well ;-) - Martin ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://git.reviewboard.kde.org/r/126102/#review88528 ----------------------------------------------------------- On Nov. 18, 2015, 9:18 a.m., Martin Gräßlin wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://git.reviewboard.kde.org/r/126102/ > ----------------------------------------------------------- > > (Updated Nov. 18, 2015, 9:18 a.m.) > > > Review request for Plasma. > > > Repository: plasma-workspace > > > Description > ------- > > This change makes sure that the environment scripts are not sourced > before KWin is started. No user installed scripts are allowed to modify > KWin's environment as that opens an attack vector. > > For example any binary plugin loaded into KWin (be it QStyle, QPT plugin, > etc.) is able to become a key logger. If the env variables were allowed > to be sourced before KWin is started a malicious application run as user > (e.g. exploiting browser vulnerability) would be able to install a key > logger. Required steps: > 1. install a malicious QStyle plugin somewhere in $HOME > 2. place a script in env to adjust variables to load the QStyle plugin > > This would be enough to have a key logger on next login. > > Given that the startup of KWin must not be affected by any scripts > owned by user prior to startup. > > The env scripts are now sourced as first step of startplasma, so > for applications in the session there is no difference. > > > Diffs > ----- > > startkde/startplasma.cmake 8360a636d3f68c957a15158484360a611cfe3ff8 > startkde/startplasmacompositor.cmake > 8b5db615142455fd360c66504fc5d5a7754a029c > > Diff: https://git.reviewboard.kde.org/r/126102/diff/ > > > Testing > ------- > > > Thanks, > > Martin Gräßlin > >
_______________________________________________ Plasma-devel mailing list Plasma-devel@kde.org https://mail.kde.org/mailman/listinfo/plasma-devel