[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Re: Security Audit Request for Screenlocker Branch
From:       Andras Mantia <amantia () kde ! org>
Date:       2011-10-11 13:06:11
Message-ID: 1730434.TNOid8kQ15 () stein
[Download RAW message or body]

On Sunday, October 09, 2011 20:02:27 Martin Gr��lin wrote:
> Hi all,
> 
> as you might know we have been working on moving the screenlocker from
> KRunner to KWin and passed the control to the compositor (iff
> compositing is active) to ensure that nothing which should not be
> shown gets visible.
> 
> I want to request a security audit for the changes to ensure that the
> new implementation is as secure as the existing one and that I did
> not forget an important case which would compromise the security.
> 
> The general concept of the new screenlocker is described in the wiki:
> http://community.kde.org/KWin/Screenlocker

From here:
"If KWin crashes without restarting privacy is leaked but the system is 
hardly useable due to missing window manager. This situation can savely 
be ignored as a corner case as KWin normaly restart."

This is not true, the system can be used without a window manager and if 
you happen to have a running terminal or start one, it is possible to 
start a new window manager (which might not be kwin) and access 
everything.

I had several times the case (for whatever reason) when I was without a 
running kwin and had to start one manually.

Andras

[prev in list] [next in list] [prev in thread] [next in thread]