Skip to content

Check that admin worker was installed by root

Felix Ernst requested to merge felixernst/kio:avoid_admin_trojan into master

The worker behind the "admin" protocol typically asks for elevated permissions as soon as it is started. Therefore, if malware hides behind that protocol it will easily get full system access.

Plugins like the KIO admin worker are searched for in various paths and those search paths can even be modified by applications ( https://doc.qt.io/qt-6/qt-conf.html ), so it seems like we can not guarantee that the plugin would have been legitimately installed prior to this commit.

This commit checks that the plugin is owned by root and that other users can not modify it to make sure that an administrator has already actively put that specific software on the system for this specific usage.


I wasn't sure if I should do anything about checking group permissions so I didn't.

Merge request reports

Loading