434808 – Is it a security risk when kwin scripts can call any dbus method?

Bug 434808 - Is it a security risk when kwin scripts can call any dbus method?

Summary: Is it a security risk when kwin scripts can call any dbus method?

Status:	RESOLVED NOT A BUG

Alias:	None

Product:	kwin
Classification:	Plasma
Component:	scripting (other bugs)
Version First Reported In:	unspecified
Platform:	Other Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	KWin default assignee

URL:
Keywords:

Depends on:
Blocks:

Reported:	2021-03-23 01:16 UTC by trmdi
Modified:	2021-03-24 10:20 UTC (History)
CC List:	2 users (show)

See Also:
Latest Commit:
Version Fixed/Implemented In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description trmdi 2021-03-23 01:16:08 UTC

SUMMARY

Any script can use callDBus to execute any command with methods provided by the KLauncher service.

What do you think about this?

Comment 1 trmdi 2021-03-24 05:03:28 UTC

Maybe whenever a call to KLauncher is made, there should be a confirm dialog, like the way Dolphin does when the user clicks on an executable file?

Comment 2 David Edmundson 2021-03-24 10:20:40 UTC

It is not a security risk in the sense that that we never claim to provide any sandboxing or protection.

Same for dolphin file extensions, plasmoids or anything else.

We should definitely be putting some warning into these GHNS dialogs.



>Maybe whenever a call to KLauncher is made, there should be a confirm dialog

Trying to plug holes after running random code is a more dangerous games as we're making promises that we can never fill.