Summary: | clipboard history in systray cannot be really disabled, security problem | ||
---|---|---|---|
Product: | [Unmaintained] klipper | Reporter: | empire |
Component: | plasma-widget | Assignee: | Martin Flöser <mgraesslin> |
Status: | RESOLVED WORKSFORME | ||
Severity: | major | CC: | aleixpol, alex-kostjukov, aron.heinecke, emrecio, fincer89, Hamburger1984, joe.harvell.x, kde, kde, kde, marek, mklapetek, rdieter, sancelot, shaikadzari, zmp.kde.bugreport |
Priority: | NOR | ||
Version: | 5.4.0 | ||
Target Milestone: | --- | ||
Platform: | Arch Linux | ||
OS: | Linux | ||
Latest Commit: | Version Fixed In: | ||
Sentry Crash Report: |
Description
empire
2015-09-02 18:02:24 UTC
That does seem to be happening. I don't think it's a particularly big security problem; but it's definitely a waste of memory. Confirming. It's more of a privacy problem than security really. Having said that I think it still makes it particularly easy for a malicious program to have a convient store of previous copy pastes with high probability of copied passwords. I use a wallet manager with strong passwords and copy paste passwords often and I'm concerned about my clipboard privacy. Keepass which is a popular and security concious wallet manager makes it a big issue out of the external clipboard handling and it goes out to erase the clipboard contents after a prompt timeout so as it exposes the passwords as little as possible. To have clipboard history in this case just makes all this effort futile. if a malicious app wanted to do that, they could just monitor your clipboard in exactly the same way the klipper backend does, clipboards are just a public property in X. my concDr when this was brought up on the forum was rather "malicious humans" - or your wife ;-) (simple rule is that if a malicious tool executes with your user permissions, your privacy is nuked. when it has root permissions, game's over) however, this might point a bug in unloading plugins, what, if general, might indeed cause quite some trouble (memorywise and on implicit singletons) For me (using fedora 22, plasma 5.4.1) the new klipper breaks pwsafe for me. Please provide a way to (at least temporary) disable grabbing everything from the clipboard! (In reply to Andreas Krohn from comment #5) > For me (using fedora 22, plasma 5.4.1) the new klipper breaks pwsafe for me. > Please provide a way to (at least temporary) disable grabbing everything > from the clipboard! agreed! And it may conflict with Klipper (which is far superior UI) which *can* be turned off. In my case, this is not a privacy or security problem. That's only a feature I don't want on a desktop customised for an industrial application. Regards, S.Ancelot This is a plugin ? a service? It may be disabled? I would like to add my vote to an option to disable the clipboard widget completely. I really don't want this feature at my work (someone could see a password they should not). > This is a plugin ? a service?
In a way, yes. Every applet is a "plugin" loaded into plasmashell process. Klipper is no different. Technically you could permanently disable it by just removing the applet from your system (located at /usr/share/plasma/plasmoids/org.kde.plasma.clipboard).
(In reply to Martin Klapetek from comment #11) > In a way, yes. Every applet is a "plugin" loaded into plasmashell process. > Klipper is no different. Technically you could permanently disable it by > just removing the applet from your system (located at > /usr/share/plasma/plasmoids/org.kde.plasma.clipboard). Thanks for the work around. I don't consider this a solution because any time I upgrade this package through my distro it will be re-enabled. > just removing the applet from your system
Umm, isn't unchecking "Clipboard" in System Setting's Additional Entries configuration enough?
(In reply to Kai Uwe Broulik from comment #13) > > just removing the applet from your system > > Umm, isn't unchecking "Clipboard" in System Setting's Additional Entries > configuration enough? https://forum.kde.org/viewtopic.php?f=66&t=128086#p341072 Looks like you can't. I tried confirming this myself, but with system settings in plasma 5.5.4, I don't see a category called "Additional Entries," and when I search in the top right search text field for clipboard it doesn't find anything. System Tray settings, sorry. Ie, right-click the arrow on the icons next to the clock, choose "System Tray Settings" and there's a list of "Additional Entries". Uncheck "Clipboard" and the applet will be removed (it won't just be hidden in the popup but not even loaded anymore). Yes, that appears to solve it. Thanks. Given comment #15 and #16 it seems that it's still possible to completely disable it, so there themes to be no bug. This doesn't appear to be true anymore, at least in 5.5.5. Exactly as the original report states, unchecking the clipboard in "System Tray Settings" will hide it, but anything that is copied AFTER hiding it will show up in the clipboard again should you ever select clipboard in System Tray Settings again. This problem reappeared for me on plasma 5.7.0-2 (archlinux package). 'System Tray Settings' (accessed by right click on the arrow) no longer contain Clipboard in 'General -> Extra Items' section. Instead it appears in 'Entries' panel - and there is no option to disable it. Only available options are 'Visible, Hidden, Auto'. Futhermore none of these states removes Clipboard from the System Tray dropdown panel. Thus, on top of inability to disable it, we can no longer hide it as well. My system tray still has a General section there and one can remove items through it (just tested). This sounds like a problem with the update. Best check with your distribution whether all packages were installed and old one properly removed. The implementation of the systemtray got exchanged in 5.7. You were right, reinstalling plasma packages and restarting the desktop environment did the trick. Apologies for sounding the alarm. This is definetly better way than to manually remove the plasmoid in /usr/share/plasma/plasmoids/org.kde.plasma.clipboard. Kubuntu 16.04 Plasma 5.5.5 There's no "quit" option nor an file do disable the autostart like it was said in the docs. This is really a problem with Passwordmanagers at Applications where the autotype isn't working that well. Even more when the whole history should be saved to the disk. I'm really frustated by this problem. Greb in the process tree does also not work, it really is integrated into the plasma process. +1 For optionality like nearly every core feature that can be disabled via "Background Tasks" option... I'm sorry but I'm really shocked about this. Please see comment #15 on how to disable the klipper plasmoid from loading. You are right, I can disable it via that option and once I've (relogged?) restarted, the application really isn't running in background any more (until that point it is). But what I would prefer even more, would an option to disable the clipboard tracking when a certain application is running, and to track it again, when it's closed. By this I could use the wonderful idea behind klipper but would be spend from the problems when my password manager is open. > disable the clipboard tracking when a certain application is running ah I get what you mean - like bug #156547. It's tricky. On X11 at least the clipboard does not know where data is copied from, so it cannot exclude say for firefox. > where data is copied from
I would already be okay with a ps aux | grep implemented, which disables the tracking until the process with that specific name is closed.
Or even easier: "[ ] Track clipboard" option in the rightclick-menu, so I can disable it beforehand and enable it afterwards again.
P.S.: Updating the docs to give you the hint that you can at least completely disable it by right clicking the arrow would already be a great help. I've spend 2h before trying to look for the docs specified config files (which aren't existing nowadays) and getting an autostart=false entry to work. |