| Summary: | GUI polkit authentication doesn't show long commands | ||
|---|---|---|---|
| Product: | [Plasma] policykit-kde-agent-1 | Reporter: | Jonas Ryssel <burner+kde> |
| Component: | general | Assignee: | Unassigned bugs <unassigned-bugs-null> |
| Status: | RESOLVED UPSTREAM | ||
| Severity: | normal | CC: | cwo.kde, drf, jgrulich, john.kizer, jreznik |
| Priority: | NOR | ||
| Version First Reported In: | 6.0.4 | ||
| Target Milestone: | --- | ||
| Platform: | Arch Linux | ||
| OS: | Linux | ||
| Latest Commit: | Version Fixed In: | ||
| Sentry Crash Report: | |||
| Attachments: | SteamVR running a command that was cut off | ||
Thank you for the feature request! The dialog seems to have changed in the mean time and now only displays the path of the binary, at least for me. But at least at a glance, having a way to display the full command does seem to be a reasonable request. Moving this to the policy kit agent. Hi - I definitely agree with the spirit of this submission. However, the KDE component would show what it receives from pkexec, which appears to already be truncated. Take a look at the links below: https://gitlab.freedesktop.org/polkit/polkit/-/issues/147 https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/90 https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/163 And for what it's worth / for any future upstream submissions, the polkit repository is now here: https://github.com/polkit-org/polkit Thanks, |
Created attachment 169570 [details] SteamVR running a command that was cut off SUMMARY GUI polkit authentication doesn't show long commands. STEPS TO REPRODUCE 1. Run `pkexec echo 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa something malicious aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'` OBSERVED RESULT The authentication dialog only shows the beginning and end of the command. That is "aaaaaaaaa... aaaaaaaa". EXPECTED RESULT The entire command which you give root access is shown (possibly hidden under "details"), such that you can check if it is malicious. SOFTWARE/OS VERSIONS Linux/KDE Plasma: Arch Linux KDE Plasma Version: 6.0.4 KDE Frameworks Version: 6.1.0 Qt Version: 6.7.0 ADDITIONAL INFORMATION I don't know if it is even possible to hide something malicious in the middle of a command, but it could potentially be an issue. As for any "real" examples of this issue, I've attached a screenshot of the command run when I updated SteamVR, which got cropped due to being too long.