For those concerned about security in KDE, please vote for openfate#312876

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

For those concerned about security in KDE, please vote for openfate#312876

Per Jessen-2
Not about the software, but still a significant security issue:

https://features.opensuse.org/312876

(might apply to other window managers too, but we only use KDE).


--
Per Jessen, Zürich (11.3°C)

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: For those concerned about security in KDE, please vote for openfate#312876

jdd@dodin.org
Le 25/10/2011 15:41, Per Jessen a écrit :
> Not about the software, but still a significant security issue:
>
> https://features.opensuse.org/312876
>
> (might apply to other window managers too, but we only use KDE).
>
>
giving the present -13 score, don't seems to be popular.

I don't see it good neither as default

jdd

--
http://www.dodin.net
http://pizzanetti.fr
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: For those concerned about security in KDE, please vote for openfate#312876

Per Jessen-2
jdd wrote:

> Le 25/10/2011 15:41, Per Jessen a écrit :
>> Not about the software, but still a significant security issue:
>>
>> https://features.opensuse.org/312876
>>
>> (might apply to other window managers too, but we only use KDE).
>>
>>
> giving the present -13 score, don't seems to be popular.

Haha, I guess we can conclude that noone is worried about security ...



--
Per Jessen, Zürich (10.6°C)

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: For those concerned about security in KDE, please vote for openfate#312876

C-29
On Tue, Oct 25, 2011 at 17:52, Per Jessen <[hidden email]> wrote:

>> Le 25/10/2011 15:41, Per Jessen a écrit :
>>> Not about the software, but still a significant security issue:
>>>
>>> https://features.opensuse.org/312876
>>>
>>> (might apply to other window managers too, but we only use KDE).
>>>
>>>
>> giving the present -13 score, don't seems to be popular.
>
> Haha, I guess we can conclude that noone is worried about security ...

I don't think it's so much that no one is worried about security...
it's more like we're thinking about general usability.  The proposal
is a reasonable one in the use-case you presented, but... in a more
broad sense, it would be more of an annoyance to the larger population
of users.  The risk is negligible.


C.
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: For those concerned about security in KDE, please vote for openfate#312876

jdd@dodin.org
In reply to this post by Per Jessen-2
Le 25/10/2011 17:52, Per Jessen a écrit :

> Haha, I guess we can conclude that noone is worried about security ...

I'm very concerned by the default "log without passwd" install, but
was abruptly sent out when asking why this was set up.

But I think users can setup they own session if they want to (And I
can disable this if I want for other users)

jdd

--
http://www.dodin.net
http://pizzanetti.fr
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: For those concerned about security in KDE, please vote for openfate#312876

Rüdiger Meier
On Tuesday 25 October 2011, jdd wrote:
> Le 25/10/2011 17:52, Per Jessen a écrit :
> > Haha, I guess we can conclude that noone is worried about security
> > ...
>
> I'm very concerned by the default "log without passwd" install, but
> was abruptly sent out when asking why this was set up.

Hehe, that'd be real fun. Automatic login without password per default
but then have to type password each 15 seconds while trying to watch a
video.
(Remember, only root should be able to disable screen saver but not
user's video player which would be a security hole!)


cu,
Rudi
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: For those concerned about security in KDE, please vote for openfate#312876

Per Jessen-2
In reply to this post by C-29
C wrote:

> On Tue, Oct 25, 2011 at 17:52, Per Jessen <[hidden email]> wrote:
>>> Le 25/10/2011 15:41, Per Jessen a écrit :
>>>> Not about the software, but still a significant security issue:
>>>>
>>>> https://features.opensuse.org/312876
>>>>
>>>> (might apply to other window managers too, but we only use KDE).
>>>>
>>>>
>>> giving the present -13 score, don't seems to be popular.
>>
>> Haha, I guess we can conclude that noone is worried about security
>> ...
>
> I don't think it's so much that no one is worried about security...
> it's more like we're thinking about general usability.  The proposal
> is a reasonable one in the use-case you presented, but... in a more
> broad sense, it would be more of an annoyance to the larger population
> of users.  The risk is negligible.

Maybe it is,  but that didn't stop us installing apparmor by default.
(for instance).
If you ask a security expert, he or she will tell you social engineering
is in fact the biggest security risk in most places.  
http://en.wikipedia.org/wiki/Social_engineering_%28security%29

Regardless, I was pointed to the Kiosk tool, which looks somewhat
promising, Only somewhat because there seems to be some doubts about
whether it works in KDE4.


--
Per Jessen, Zürich (10.1°C)

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: For those concerned about security in KDE, please vote for openfate#312876

todd rme
On Tue, Oct 25, 2011 at 7:04 PM, Per Jessen <[hidden email]> wrote:

> C wrote:
>
>> On Tue, Oct 25, 2011 at 17:52, Per Jessen <[hidden email]> wrote:
>>>> Le 25/10/2011 15:41, Per Jessen a écrit :
>>>>> Not about the software, but still a significant security issue:
>>>>>
>>>>> https://features.opensuse.org/312876
>>>>>
>>>>> (might apply to other window managers too, but we only use KDE).
>>>>>
>>>>>
>>>> giving the present -13 score, don't seems to be popular.
>>>
>>> Haha, I guess we can conclude that noone is worried about security
>>> ...
>>
>> I don't think it's so much that no one is worried about security...
>> it's more like we're thinking about general usability.  The proposal
>> is a reasonable one in the use-case you presented, but... in a more
>> broad sense, it would be more of an annoyance to the larger population
>> of users.  The risk is negligible.
>
> Maybe it is,  but that didn't stop us installing apparmor by default.
> (for instance).
> If you ask a security expert, he or she will tell you social engineering
> is in fact the biggest security risk in most places.
> http://en.wikipedia.org/wiki/Social_engineering_%28security%29
>
> Regardless, I was pointed to the Kiosk tool, which looks somewhat
> promising, Only somewhat because there seems to be some doubts about
> whether it works in KDE4.

Kiosk is used for locking down stuff like this, kiosktool is a GUI
which can control kiosk.  Kiosk should work fine for this purpose, you
just need to manually set up rules for screensavers.  These rules are
supposed to work for KDE 3, you should be able to adapt them for KDE 4
by finding the proper configuration entry:

http://lists.kde.org/?l=kde-kiosk&m=112142810808206

See here for general instructions:

http://techbase.kde.org/KDE_System_Administration/Kiosk/Introduction

I don't know the state of kiosktool, but kiosktool is merely a GUI to
make it easier to configure kiosk.  You don't need to use kiosktool to
run kiosk.  If you have more questions about kiosk you should probably
ask on that mailing list.

-Todd
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: For those concerned about security in KDE, please vote for openfate#312876

Per Jessen-2
todd rme wrote:

> On Tue, Oct 25, 2011 at 7:04 PM, Per Jessen <[hidden email]> wrote:
>
>> Regardless, I was pointed to the Kiosk tool, which looks somewhat
>> promising, Only somewhat because there seems to be some doubts about
>> whether it works in KDE4.
>
> Kiosk is used for locking down stuff like this, kiosktool is a GUI
> which can control kiosk.

But do I get them both by installing kiosktoolor is kiosk installed by
default? I searched on 'kiosk' with yast and only found kiosktool.

> Kiosk should work fine for this purpose, you just need to manually set
> up rules for screensavers.  These rules are supposed to work for KDE
> 3, you should be able to adapt them for KDE 4 by finding the proper
> configuration entry:
>
> http://lists.kde.org/?l=kde-kiosk&m=112142810808206
>
> See here for general instructions:
>
> http://techbase.kde.org/KDE_System_Administration/Kiosk/Introduction
>
> I don't know the state of kiosktool, but kiosktool is merely a GUI to
> make it easier to configure kiosk.  You don't need to use kiosktool to
> run kiosk.  If you have more questions about kiosk you should probably
> ask on that mailing list.

Thanks, and thanks again for mentioning it, I really had no idea it
existed.


--
Per Jessen, Zürich (8.2°C)

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]