https://bugs.kde.org/show_bug.cgi?id=486453
Bug ID: 486453
Summary: Admin password dialog seems potentially fundamentally
unsafe and like a significant downgrade to e.g.
Windows UAC
Classification: Plasma
Product: kwin
Version: 6.0.3
Platform: Other
OS: Linux
Status: REPORTED
Severity: normal
Priority: NOR
Component: general
Assignee: kwin-bugs-n...@kde.org
Reporter: e...@horse64.org
Target Milestone: ---
Created attachment 169098
--> https://bugs.kde.org/attachment.cgi?id=169098&action=edit
Admin prompt with details when installing software in KDE discover
SUMMARY
The admin password dialog seems potentially fundamentally unsafe and like a
significant downgrade to e.g. Windows UAC. I might be wrong on this one, but
let me explain what I would expect the admin dialog to do so it's safe, and
maybe that will help you decide whether I'm onto something here or not.
Here is what I would the admin password dialog to provide which it doesn't,
which ultimately seem to make it suspectible to trivial forgery attacks where
just any application can grab the admin password and do whatever it wants, even
with flatpak sandboxing and Wayland:
1. The admin dialog should at least give me the most vague chance to possibly
figure out what process asks for permission because otherwise, any other
process could try to just randomly launch a common admin password dialog and
hope the user assumes it is legitimate without realizing it is from a
completely different requesting process as usual. From all instances I've
found, see attached screenshots, this is never the case. To make this clear on
Linux, I think the following info would be required in the "Details" section:
1. at the very least the requesting process's initial exact launch command with
full arguments, 2. possibly the process PID, 3. possibly the requesting
process's current effective user id and user name. Windows UAC does this by
showing the "Program location" on disk if you click "Show details". The KDE
admin prompt doesn't seem to show any info here. For what it's worth, the "ID"
and "vendor" it shows seem useful but not like it would allow most admins to
figure out what group of processes would actually have the permission to
request via this ID+vendor and whether that may be an impostor app or not.
Therefore, these seem useful as additional indicators but not good enough. My
apologies if that is incorrect.
2. The admin dialog should be visually distinct from whatever a program could
launch as a fake, and/or allow using some keyboard combination to identify it's
the "real" one. This would be possible for example if all the desktop was
overlayed and dimmed including the task bar (which Windows UAC can be
configured to do, and KDE doesn't do) and by optionally offering requiring
something like pressing CTRL+ALT+DEL before confirming UAC which needs to be a
combination that can't be grabbed by any non-admin apps and therefore if it is
pressed and advances the UAC dialog you know it's the real one (which KDE
doesn't seem to offer as an option either but Windows UAC does). This would
also be made even safer by requiring an opt-in prompt for fullscreen from any
flatpak sandboxed application, such that a screenshot of the desktop can't be
taken and then modified on-the-fly to show the dialog with dim in front to fake
it, since it would require a fullscreen prompt that would make you aware
something is being overlayed.
STEPS TO REPRODUCE
1. Look at admin prompts, see attachments which has the example of virt-manager
requiring admin pw, and a "Terminal - Super User Mode" requiring admin pw.
OBSERVED RESULT
It's not possible to rule out a forgery of the dialog (= 100% fake dialog
prompted by other app), and it's not possible to rule out an unexpected app
prompting instead of the expected one (= real dialog but prompted by different
app than usual, unexpectedly elevating the wrong one).
EXPECTED RESULT
Forgery and app mixups are at least on a basic level somewhat ruled out for
attentive users that make use of all the information shown in the dialog.
SOFTWARE/OS VERSIONS
Windows:
macOS:
Linux/KDE Plasma: openSUSE Slowroll
(available in About System)
KDE Plasma Version: plasmashell 6.0.3
KDE Frameworks Version: 6.0.0
Qt Version: 6.6.3
ADDITIONAL INFORMATION
--
You are receiving this mail because:
You are watching all bug changes.
