Web lists-archives.com

Re: Suggestion to Remove KFloppy and hold back K3b

Am 2017-02-22 20:18, schrieb Wolfgang Bauer:
Am Dienstag, 21. Februar 2017, 18:55:00 schrieb Nicolás Alvarez:
> On Feb 15, 2017, at 17:58, Wolfgang Bauer <wbauer@xxxxxx> wrote:
> Am Mittwoch, 15. Februar 2017, 22:21:19 schrieb Martin Gräßlin:
>> Please do not consider starting a GUI application as root a possibility.
> Ok, but partitionmanager does exactly that. It restarts itself as root if
> run as user.
> So that instantly would rule out partionmanager as a proposed replacement,
> I suppose.
> But KFloppy is quite a simple application.
> There should not really be a special risk involved running it as root, but
> I might be mistaken there.

Sounds like you're challenging Martin to write a take-over-machine exploit
via root KFloppy, and I would bet money that he would succeed ;)

No, I don't.

I just meant to say that the attack surface is smaller that for (certain)
other applications.

The attack surface is exactly the same as any other X application. It's X itself which will make this exploitable.

You definitely cannot open a root konsole and run arbitrary commands as root
by just sending fake key presses to kfloppy... ;)

That was just the trivial case and not even an exploit. It was all pure X protocol.

An exploit would be to use a string parsing bug in Qt/xcb to trigger a crash in KFloppy. And all I need for that is:
* a fuzzer
* a window opening as root

We just need to accept that opening a root window means we are owned. Yes, sounds bad. Yes, no known exploits in the wild. Yes, I'm sure it's not just a theoretical threat. I got hundreds of bug reports (#361236) the last year of KWin crashing in Qt's string handling most likely from a window property. So to me it's a definite truth that there are exploitable window property to string vulnerabilities when run as root. That's also why KWin/Wayland is not root, but user.

But please.
I already wrote that restarting the application as root was just one idea to work around permission problems. (I even mentioned using kauth as option too
in my first mail, and that's what I'll try to implement...)
And to repeat: I already dropped that idea completely.

So I don't see a point in continuing the discussion about this here.

I answered nevertheless, because I think it's important for all devs to understand that connecting to X11 as root means a risk to their users and that there is nothing their application can do to protect against it.