Is there a dbus-based screen lock vulnerability which could be replicated in KDE?
Is there a dbus-based screen lock vulnerability which could be replicated in KDE?
JYou'd probably have to use a different dbus address
KNot that I have seen, if there was it would have been triggered by the exact same thing
JI'm going to test this in KDE to see if I can replicate it
JIf KDE's login screen can be unlocked with
loginctl unlock-session, then I think it's more likely that a proper fix would be to harden the polkit rules to require some form of authentication for binaries/processes that aren't whitelistedJ(I'm no polkit expert, I just think it seems a teensy bit too trivial for someone to fire off a sleeping payload with a simple
sleep $SECONDS; loginctl unlock-session)KThe whole reason this is using that path too is it's the only way to request gnome not to fall asleep
KIt just happens to also unlock the screen from a locked state
KOr at least it was, maybe things have changed
KStill seems very suspect
Ayou cant, your user has the permission to unlock your session
Athat payload can do whatever somebody sitting on your keyboard can after it unlocks your session
Aso from a security standpoint, not being able to unlock your session is kinda mut
JUnlocking implies that there's a lock. When you have services like gnome-keyring storing your passwords, you don't automatically unlock them even though the files and the contents inside are owned by your user. You still need a security mechanism to ensure that not just anyone is accessing your resources. We already do this in several ways with the login screen before or after login, including A) what you know (password) B) what you have (smart card) C) what you are (biometrics such as fingerprint)
Athe only way to unlock your keyring is to enter your password
KHellow :3
Is there any special setup required to use scrcpy?
I installed it via the bazzite welcome screen, but everytime I want open the App, nothing happens.
ujust just offers a
Is there any special setup required to use scrcpy?
I installed it via the bazzite welcome screen, but everytime I want open the App, nothing happens.
ujust just offers a
install-scrcpy command, but running that, wouldn't help, right?Aits very easy to test this as if you login with a fingerprint, your keyring does not unlock
JI was talking specifically about the login screen for those multiple authentication examples
Asomething running on your device already has access to yoru files
Aso it being able to unlock the lockscreen for an attacker to do the same is not a security vulnerability
Hyafti runs
keep in mind scrcpy works only over usb cable unless you adb to your phone and enable the adb server (a phone reboot kills it)
ujust install-scrcpykeep in mind scrcpy works only over usb cable unless you adb to your phone and enable the adb server (a phone reboot kills it)
Athe lock screen is meant to prevent physical tampering, if your device is owned at the user level, that's already the case
H@antheas let me unlock this random gnome computer
plug in gamepad and press button
this is similar-ish to the razer issue where you could elevate to admin on windows using a razer mouse on a machine that didnt have the driver installed
plug in gamepad and press button
this is similar-ish to the razer issue where you could elevate to admin on windows using a razer mouse on a machine that didnt have the driver installed
Aunfortunate bug with the library that keeps the computer awake
JWe discovered this purely by accident in a distro that packaged software intended to handle an unrelated function. Remember, it was replicated by pressing a button with a gamepad.
Athe endpoint it used unlocks the lockscreen
JWe don't know what other script authors are doing this purely by accident, nevermind out of malice
Awell, looking at the script it handles more than 8 DEs
Asoooo probably accident
JLol
Ajust report the bug and move on, maybe remove it from the image in the meantime
KThanks, I thought it would work kinda like KDE Connect ^^'
HGitHub
Display and control your Android device. Contribute to Genymobile/scrcpy development by creating an account on GitHub.
Hstill worth knowing how to set it up 
KTy, I'll read that 
J@Kyle Gospo I can confirm that
loginctl unlock-session does the exact same thing in KDE. So this probably should get fixed deeper in the stack like in systemdHseems like they have an automatic mode now so it is a lot easier
JLOL VEGETA TIME
JOne solution may be to harden the polkit rules to only accept an
unlock-session action if the user has been authenticated in some wayJ
Authentication is required to lock or unlock active sessions. https://github.com/systemd/systemd/blob/main/src/login/org.freedesktop.login1.policy#L341GitHub
The systemd System and Service Manager . Contribute to systemd/systemd development by creating an account on GitHub.
Athat one unlocks all sessions tho
Asudo loginctl unlock-sessionsJOh, that makes it better then
JA) "I want to unlock all of the sessions on this computer!" B) "No, you need the secret password!" A) "Err just the one session, the only one you can expect to have on a desktop?" B) "Go ahead, I trust you bro"
K"this guy seems legit"
JThe thing is,
loginctl unlock-sessions does work as it should. It will do a polkit-based approach where I can just input my fingerprint. And it will do that without some grace period like with sudo, and it does it unconditionally even if I have just the one seat on my system. But no such prompt happens with loginctl unlock-session when it is just a single letter difference. If this isn't a security vulnerability, then why the hell is it security vulnerability-shaped?JAt the very least it is an inconsistency with systemd polkit rules. Rules which are packaged in the vast majority of distros these days and are relied upon by many desktops
FHey I've tried searching on this discord but don't seem to have a solid find. I've installed Bazzite on my Legion Go coming from Chimera and I'm loving it. It works so well!
Only thing I have to ask is there a way to control the fan? It seems to be stuck on full power all the time. Which isn't bad for gaming but it's annoying when I just want it to sit and download a bunch of games. I've seen LenovoLegionLinux by johnvanv2 but that doesn't list the Legion Go as compatible.
Apologies in advance if this is a stupid question!
Only thing I have to ask is there a way to control the fan? It seems to be stuck on full power all the time. Which isn't bad for gaming but it's annoying when I just want it to sit and download a bunch of games. I've seen LenovoLegionLinux by johnvanv2 but that doesn't list the Legion Go as compatible.
Apologies in advance if this is a stupid question!
ADid you already try LegionGoRemapper? or the hhd fan controls?
A