Re: Suggestion to Remove KFloppy and hold back K3b
- Date: Wed, 22 Feb 2017 22:01:01 +0100
- From: Martin Gräßlin <mgraesslin@xxxxxxx>
- Subject: Re: Suggestion to Remove KFloppy and hold back K3b
Am 2017-02-22 20:18, schrieb Wolfgang Bauer:
Am Dienstag, 21. Februar 2017, 18:55:00 schrieb Nicolás Alvarez:
> On Feb 15, 2017, at 17:58, Wolfgang Bauer <wbauer@xxxxxx> wrote:
> Am Mittwoch, 15. Februar 2017, 22:21:19 schrieb Martin Gräßlin:
>> Please do not consider starting a GUI application as root a possibility.
> Ok, but partitionmanager does exactly that. It restarts itself as root if
> run as user.
> So that instantly would rule out partionmanager as a proposed replacement,
> I suppose.
> But KFloppy is quite a simple application.
> There should not really be a special risk involved running it as root, but
> I might be mistaken there.
Sounds like you're challenging Martin to write a take-over-machine
via root KFloppy, and I would bet money that he would succeed ;)
No, I don't.
I just meant to say that the attack surface is smaller that for
The attack surface is exactly the same as any other X application. It's
X itself which will make this exploitable.
You definitely cannot open a root konsole and run arbitrary commands as
by just sending fake key presses to kfloppy... ;)
That was just the trivial case and not even an exploit. It was all pure
An exploit would be to use a string parsing bug in Qt/xcb to trigger a
crash in KFloppy. And all I need for that is:
* a fuzzer
* a window opening as root
We just need to accept that opening a root window means we are owned.
Yes, sounds bad. Yes, no known exploits in the wild. Yes, I'm sure it's
not just a theoretical threat. I got hundreds of bug reports (#361236)
the last year of KWin crashing in Qt's string handling most likely from
a window property. So to me it's a definite truth that there are
exploitable window property to string vulnerabilities when run as root.
That's also why KWin/Wayland is not root, but user.
I already wrote that restarting the application as root was just one
work around permission problems. (I even mentioned using kauth as
in my first mail, and that's what I'll try to implement...)
And to repeat: I already dropped that idea completely.
So I don't see a point in continuing the discussion about this here.
I answered nevertheless, because I think it's important for all devs to
understand that connecting to X11 as root means a risk to their users
and that there is nothing their application can do to protect against