Unset environment variables before starting kwin_wayland
Review Request #126115 - Created Nov. 19, 2015 and discarded
Any environment variable which can be used to specify a path to a binary object to be loaded in the KWin process bears the risk of being abused to add code to KWin to perform as a key logger. E.g. an env variable pointing QT_PLUGIN_PATH to a location in $HOME and adjusting QT_STYLE_OVERRIDE to load a specific QStyle plugin from that location would allow to easily log all keys without KWin noticing. As env variables can be specified in scripts sourced before the session starts there is not much KWin can do about that to protect itself. This affects all the LD_* variables and any library KWin uses and loads plugins. The list here is based on what I could find: * LD_* variables as specified in the man page * LIBGL_* and EGL_* as specified on mesa page * QT_* variables based on "git grep qgetenv" in qtbase and qtdeclarative combined with Qt's documentation * "git grep getenv" in various KDE frameworks based on ldd output of KWin Unfortunately the list is unlikely to be complete. If one env variable is missed, there is a risk. Even more each change in any library might introduce new variables. The approach is futile, but needed till Linux has a secure way to start the session without sourcing env variable scripts from user owned locations.
Did you consider running the whole script with
env -i, or (likely the better idea) run KWin with
That should sanitize the environment (unset all env vars, except for shell-defaults). You could then set exactly the variables you need, to the exact values you want, so we don't miss unsetting anything.
Okay, I talked to some GNOME people (thanks!) to find out how they handle this issue, and the short answer is: Not at all
Reason for that is that it is really hard to fully secure the compositor if we allow apps to arbitrarily write to config files in HOME.
For example, one process might start to ptrace kwin, catching all input sent through it. Or someone might install a malicious KWin script. Or the bad app might install a .desktop file override in .local/share/applications overriding e.g. Firefox and then catching all the input. Etc.
Also, if the attacker went this far, they already have access to all files in the home directory and likely have reached their goal already.
So, I think we can get KWin secure by adding some really heavy countermeasures (restricting it's access to $HOME, using a setgid bit on it's binary, ...) the question is: Is this effort worth it?