Keep Password in KDE su

[bscott at ntisys.com]

On Sun, 29 Aug 2004, at 10:27am, japhilipson at yahoo.com wrote:
> Question:  What happens, and what are the dangers, when you check "Keep
> Password"?  How is the password stored and could this later be used as a
> hole by some malware?

  From reading the page you linked to, I surmise that the kdesud daemon
keeps a cached copy of the root password in memory.  Future connections
within the timeout period to that daemon will then reuse the password.  
Presumably, the password is never written to disk by the program itself.
However, if the kdesud daemon does not protect the memory containing the
root password, it could be written to swap space or a core file.

  I like the approach sudo uses better.  sudo runs SUID-root, uses your user
password, and simply keeps track of the last time you used sudo.  No
password caching needed, and the root password never even enters the picture
at all.  sudo is also not limited to KDE.

  Google search for kdesu and/or kdesud shows that the software in question
has had security vulnerabilities in the past.  Not in the password caching,
but in the implementation of the program itself.  That seems to be the usual
case; bugs are rarely in the "security feature" itself, but in the code
surrounding it.

  Overall, for single user systems, I suspect the threat posed by kdesu is
likely to be minor in comparison to the other threats most such systems face
(e.g., browser attacks, email attacks, direct attacks against public
services (especially privileges services like SSH)).

-- 
Ben Scott <bscott at ntisys.com>
| The opinions expressed in this message are those of the author and do  |
| not represent the views or policy of any other person or organization. |
| All information is provided without warranty of any kind.              |