----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://git.reviewboard.kde.org/r/126102/ -----------------------------------------------------------
(Updated Nov. 18, 2015, 4:36 p.m.) Status ------ This change has been discarded. Review request for Plasma. Repository: plasma-workspace Description ------- This change makes sure that the environment scripts are not sourced before KWin is started. No user installed scripts are allowed to modify KWin's environment as that opens an attack vector. For example any binary plugin loaded into KWin (be it QStyle, QPT plugin, etc.) is able to become a key logger. If the env variables were allowed to be sourced before KWin is started a malicious application run as user (e.g. exploiting browser vulnerability) would be able to install a key logger. Required steps: 1. install a malicious QStyle plugin somewhere in $HOME 2. place a script in env to adjust variables to load the QStyle plugin This would be enough to have a key logger on next login. Given that the startup of KWin must not be affected by any scripts owned by user prior to startup. The env scripts are now sourced as first step of startplasma, so for applications in the session there is no difference. Diffs ----- startkde/startplasma.cmake 8360a636d3f68c957a15158484360a611cfe3ff8 startkde/startplasmacompositor.cmake 8b5db615142455fd360c66504fc5d5a7754a029c Diff: https://git.reviewboard.kde.org/r/126102/diff/ Testing ------- Thanks, Martin Gräßlin
_______________________________________________ Plasma-devel mailing list Plasma-devel@kde.org https://mail.kde.org/mailman/listinfo/plasma-devel
