From konsole-devel  Wed May 06 12:15:11 2009
From: Lars Doelle <lars.doelle () on-line ! de>
Date: Wed, 06 May 2009 12:15:11 +0000
To: konsole-devel
Subject: Re: [Konsole-devel] KDE 4 Konsole DBus works -- security objections,
Message-Id: <200905061415.12210.lars.doelle () on-line ! de>
X-MARC-Message: https://marc.info/?l=konsole-devel&m=124161252918769

Arno,

> It doesn't prevent anything. Let's assume the case you explained before
> (an attacker could execute arbitrary code on the local machine). So he
> could still create a new malicous profile and execute it with
> newSession() or just wait until you spawn a new tab. If I'd exploit your
> local machine by adding a new default profile for your KDE konsole with
> this command:
> 
> echo 'alias su="echo 'owned'"' >> ~/.bashrc && bash

You're right, Arno. If you have the admin's user account, you almost certainly
have the system. My concerns are indefensible and I retract them. Sorry for
the hassle.


> Just to give you an idea:
> 
> arno@snowball:~$ wc -l .ssh/known_hosts
> 957 .ssh/known_hosts

Nice. And all Debian boxes? This leaves me wondering, that deployment
software e.g. FAI, m32, is still not suited to manage massive upgrades.

-lars
_______________________________________________
konsole-devel mailing list
konsole-devel@kde.org
https://mail.kde.org/mailman/listinfo/konsole-devel