[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-devel
Subject:    Re: kdesu documentation
From:       Martin Sandsmark <sandsmark () samfundet ! no>
Date:       2010-09-20 17:06:02
Message-ID: 201009201906.05232.sandsmark () samfundet ! no
[Download RAW message or body]

On Monday 20. September 2010 16.11.30 John Tapsell wrote:
> Using sudo from a konsole isn't quite the same, because the
> "remembering" feature is tied to a particular virtual terminal.  I
> don't know if policy kit has the problem of snooping keypresses.
> The point is, kdesu does have real problems with it.  Problems that
> are reduced by policy kit.

What prevents something from LD_PRELOADing (yes, I love LD_PRELOAD) in 
something that replaces the kdesu dialog completely, but looks identical (or 
simply just logs all keystrokes, or just replaces all password inputs)? As 
Lubos said, if you're having malicious code running locally, you're fucked 
already (with nicer words). :-)
PolicyKit doesn't give you any more security (at least in this scenario, I 
don't know about others).

-- 
Martin T. Sandsmark
 
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]