https://bugs.kde.org/show_bug.cgi?id=259678
--- Comment #10 from Andrius Štikonas <andr...@stikonas.eu> --- (In reply to Martin Gräßlin from comment #9) > Please note that running an application as root on X11 means that your > system is potentially instantly owned. I wrote a test case for such a > situation recently, more information at > https://marc.info/?l=kfm-devel&m=145192452218315&w=2 > > You can be certain that also partitionmanager can be exploited that way. > Please disallow root access and switch to polkit ASAP. This is not a > wishlish, this is in fact a severe security vulnerability. Dear Martin, I am not sure though whether polkit would fix that exploit path. Kate or Dolphin are usually used as a normal user and don't need root unless something very specific is done. On the other hand, KPM needs root for everything: detection of partitions, ALL write operations, etc... It often needs full write access to block devices as files anyway, so it's not clear whether polkit would be able to attain any finer granularity and prevent that security issue. So that exploit on any write operation with polkit'ed KPM would still be able to take over and delete all partitions... Or do some other nasty stuff. After all, KPM is system software to mess up with hard disks. Clearly we need to move to Wayland ASAP which is getting closer thanks to your effort... Of course polkit would improve some other aspects, like correct fonts and theme but the amount of work required here would be very non-trivial. -- You are receiving this mail because: You are watching all bug changes.
