SUMMARY Would it be possible, perhaps with Wayland, to isolate keyboard input when the user types in the password, such that no other process can log keystrokes? STEPS TO REPRODUCE 1. `xinput list` 2. `xinput test <id of the keyboard device>` 3. In a different terminal, `pkexec bash` OBSERVED RESULT Every keystroke typed in the password input of the PolicyKit1 KDE Agent dialog, is logged by the `xinput test` command. EXPECTED RESULT Typing the password in the PolicyKit1 KDE Agent input box should not result in keystrokes being logged. SOFTWARE/OS VERSIONS Linux/KDE Plasma: KDE neon 5.21 ADDITIONAL INFORMATION http://theinvisiblethings.blogspot.com/2011/04/linux-security-circus-on-gui-isolation.html
You mentioned this could be solved on Wayland, but your trick already doesn't work on Wayland today. For me, nothing is logged by "xinput test". Also, could you please clarify what you mean by "a la gksudo"? gksudo is deprecated and not shipped at all by most distros at all anymore, so I cannot tell whether it manages to protect itself against this on X11. Please note as well that in you should not enter your password into anything if you suspect untrusted processes are running as your user. There are numerous other attacks, like "debugging" the agent or simply impersonating the password prompt.
Created attachment 136099 [details] xinput test still kogs keystrokes from PolicyKit1 KDE Agent I'm not very familiar with this security aspect, or much with Wayland, so please pardon my inexact terminology. Joanna's demo works just fine on KDE neon 5.21, as seen in the attached screencast. I guess Wayland isn't enabled yet, perhaps due to the showstoppers?[1] > Also, could you please clarify what you mean by "a la gksudo"? > gksudo is deprecated and not shipped at all by most distros at all anymore, > so I cannot tell whether it manages to protect itself against this on X11. Back in 2011, gksudo was reported to be resistant to this kleylogging attack at https://theinvisiblethings.blogspot.com/2011/04/linux-security-circus-on-gui-isolation.html?showComment=1303668459694#c644649620501650773 > Please note as well that in you should not enter your password into anything if you > suspect untrusted processes are running as your user. There are numerous other attacks, > like "debugging" the agent or simply impersonating the password prompt. Right. My threat model is that I may not know whether untrusted code is running in a dependency confusion type of attack[2], and it could log keystrokes, including those I type into a legitimate prompt. [1]: https://community.kde.org/Plasma/Wayland_Showstoppers [2]: https://blog.malwarebytes.com/hacking-2/2021/02/researchers-audacious-hack-demonstrates-new-type-of-supply-chain-attack/
Your session is running on X11, otherwise xinput would complain that it can only eavesdrop Xwayland. Apparently gksudo tries to grab keyboard and mouse input, which supposedly prevents eavesdropping via XTest extension. Daniel Stone seems to confirm this on the Wayland mailing list [1]. However, I tested with gksudo on Ubuntu 12.04 now and "xinput test" does register the keystrokes corresponding to the password. I have now set this bug back to reported, as I think all relevant information has been supplied. Even implementing the grab in the polkit agent will not protect you in your threat model, as at least the impersonation attack still works. You want to run untrusted apps in containers without access to your home directory or any real GUI system. [1]: https://lists.freedesktop.org/archives/wayland-devel/2012-February/002176.html
There are significant trade-offs here. Grabbing all keyboard and mouse input requires that the auth dialog be system-modal. This prevents the use of password managers or Plasma Vault (one of which may be used to store the a plaintext version of the password)GNOME does this and users are constantly complaining about how annoying it is. On the other hand, it would automatically fix Bug 312325 as well as this one.
Looks like KeepassXC's autotype already doesn't work on Wayland - https://github.com/keepassxreboot/keepassxc/issues/3868