Bug 234362 - Server grab easily bypassed
Summary: Server grab easily bypassed
Status: RESOLVED WORKSFORME
Alias: None
Product: kdm
Classification: Miscellaneous
Component: general (show other bugs)
Version: unspecified
Platform: Ubuntu Linux
: NOR normal
Target Milestone: ---
Assignee: kdm bugs tracker
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-04-14 17:49 UTC by David Moreno
Modified: 2012-02-13 14:26 UTC (History)
1 user (show)

See Also:
Latest Commit:
Version Fixed In:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description David Moreno 2010-04-14 17:49:52 UTC
Version:            (using KDE 4.3.5)
OS:                Linux
Installed from:    Ubuntu Packages

Server grab is performed on kdm to avoid certain attacks. 

It can be easily bypassed just by opening nay menu (session chooser, for example). Then the X ungrabs the server.

It can be tested opening a virtual keyboard (I tested with klavier, add it as "(sleep 2; klavier ) &" at /etc/kde4/kdm/Xsetup. It should not be usable, but if any menu is opened, it becomes usable.
Comment 1 Oswald Buddenhagen 2010-04-29 01:03:17 UTC
hmpf. kdm "chases behind" qt to immediately re-grab the inputs once the popups are gone. this worked at some point, so maybe a newer qt broke it. is the ungrab really permanent or is there something you can do (other than restarting the greeter) to make klavier not work again?
Comment 2 Oswald Buddenhagen 2011-05-14 11:31:02 UTC
works for me with qt 4.7.3, x server 1.9.99.901.
Comment 3 Rex Dieter 2011-05-16 21:12:10 UTC
on kdm screen,  either using mouse or keyboard to navigate
menu->Shutdown
results in a 
"T_urn of Computer"
"R_estart Computer"
"C_ancel"
dialog that (still) cannot be controlled via keyboard.  It's as if it lacks focus.

Tested on Fedora 15 with qt-4.7.3, kde-4.6.3, x server 1.10.1
Comment 4 Rex Dieter 2012-02-13 14:26:45 UTC
Per my comment to bug #268988 , adding to /etc/kde/kdm/kdmrc either:
GrabInput=Always
or
GrabServer=true
seems to help the immediate issue for me.