D10437: Limit the use of file.so for privilege operation to one application

chinmoyr created this revision. chinmoyr added reviewers: Frameworks, dfaure, fvogt. Restricted Application added a project: Frameworks. chinmoyr requested review of this revision. REVISION SUMMARY After successful authorization for privilege execution the whole session gets full root-level acc

D10437: Limit the use of file.so for privilege operation to one application

fvogt added a comment. If I'm not mistaken, the application sends its own pid to the slave. This means it could just fake it. REPOSITORY R241 KIO REVISION DETAIL https://phabricator.kde.org/D10437 To: chinmoyr, #frameworks, dfaure, fvogt Cc: michaelh

D10437: Limit the use of file.so for privilege operation to one application

chinmoyr added a comment. The whole work is being done inside KIO::Job. If the application uses regular Jobs then I can't see how it can fake it. REPOSITORY R241 KIO REVISION DETAIL https://phabricator.kde.org/D10437 To: chinmoyr, #frameworks, dfaure, fvogt Cc: michaelh

D10437: Limit the use of file.so for privilege operation to one application

markg added a comment. I just tried this: kdesu gwenview (type root password and go to the root homefolder). In gwenview i can now go to that folder. In dolphin (started as user, not root) i can't get into that folder. I don't really see what you try to fix here as it seems to be wor

D10437: Limit the use of file.so for privilege operation to one application

chinmoyr added a comment. In D10437#204382 , @fvogt wrote: > In D10437#204377 , @chinmoyr wrote: > > > The whole work is being done inside KIO::Job. If the application uses regular Jobs then I can't

D10437: Limit the use of file.so for privilege operation to one application

fvogt added a comment. In D10437#204413 , @chinmoyr wrote: > In D10437#204382 , @fvogt wrote: > > > In D10437#204377 , @chinmoyr wrote: > > > > > The wh

D10437: Limit the use of file.so for privilege operation to one application

chinmoyr added a comment. In D10437#204402 , @markg wrote: > I just tried this: > kdesu gwenview (type root password and go to the root homefolder). > In gwenview i can now go to that folder. > In dolphin (started as user, not root) i can

D10437: Limit the use of file.so for privilege operation to one application

markg added a comment. In D10437#204416 , @chinmoyr wrote: > In D10437#204402 , @markg wrote: > > > I just tried this: > > kdesu gwenview (type root password and go to the root homefolder). > >

D10437: Limit the use of file.so for privilege operation to one application

anthonyfieroni added inline comments. INLINE COMMENTS > slavebase.h:957 > + */ > +bool mAppChanged; > Will break ABI, add new member variables only in SlaveBasePrivate REPOSITORY R241 KIO REVISION DETAIL https://phabricator.kde.org/D10437 To: chinmoyr, #frameworks, dfaure, fvogt

D10437: Limit the use of file.so for privilege operation to one application

chinmoyr added a comment. In D10437#204417 , @markg wrote: > Could you provide steps to reproduce what you try to fix? Steps: create files /opt/{a,b} open kioslavetest delete /opt/a open ksysguard and send interrupt signal to kiosl

D10437: Limit the use of file.so for privilege operation to one application

fvogt added a comment. In D10437#204377 , @chinmoyr wrote: > The whole work is being done inside KIO::Job. If the application uses regular Jobs then I can't see how it can fake it. By not using KIO or using a modified KIO. Never assume yo

D10437: Limit the use of file.so for privilege operation to one application

dfaure added a comment. Indeed the sender could definitely fake the PID. One could generate and send a sha1 and store it in the slave (and send it as metadata with every command), but this can still be sniffed. I assume the KAuth security principle is that an intruder (who would have acce

D10437: Limit the use of file.so for privilege operation to one application

dfaure added a comment. Sounds good, but the tricky part will be finding how to run some code in the (idle) slave at the right time. Maybe in SlaveBase::disconnectSlave() ? REPOSITORY R241 KIO REVISION DETAIL https://phabricator.kde.org/D10437 To: chinmoyr, #frameworks, dfaure, fvogt Cc

D10437: Limit the use of file.so for privilege operation to one application

chinmoyr added a comment. @dfaure I was thinking about revoking authorization just before the idle slave is reassigned by klauncher. polkit-qt-1 provides `revokeTemporaryAuthorization` just for this purpose. We only need to implement it on KAuth's side. Then on slave's side we can do somethi

D10437: Limit the use of file.so for privilege operation to one application

chinmoyr updated this revision to Diff 27482. chinmoyr added a comment. Changed approach. Now temporary authorization is revoked. REPOSITORY R241 KIO CHANGES SINCE LAST UPDATE https://phabricator.kde.org/D10437?vs=26905&id=27482 BRANCH master REVISION DETAIL https://phabricator.kde.