If KDE's login screen can be unlocked with `loginctl unlock-session`, then I think it's more likely

If KDE's login screen can be unlocked with

loginctl unlock-session

loginctl unlock-session

loginctl unlock-session

loginctl unlock-session, then I think it's more likely that a proper fix would be to harden the polkit rules to require some form of authentication for binaries/processes that aren't whitelisted

jstoneOP•3/29/24, 12:52 AM

(I'm no polkit expert, I just think it seems a teensy bit too trivial for someone to fire off a sleeping payload with a simple sleep $SECONDS; loginctl unlock-sessionsleep $SECONDS; loginctl unlock-session)

Kyle Gospo•3/29/24, 12:53 AM

The whole reason this is using that path too is it's the only way to request gnome not to fall asleep

Kyle Gospo•3/29/24, 12:53 AM

It just happens to also unlock the screen from a locked state

Kyle Gospo•3/29/24, 12:53 AM

Or at least it was, maybe things have changed

Kyle Gospo•3/29/24, 12:54 AM

Still seems very suspect

Jjstone If KDE's login screen can be unlocked with `loginctl unlock-session`, then I thi...

antheas•3/29/24, 12:54 AM

you cant, your user has the permission to unlock your session

antheas•3/29/24, 12:54 AM

that payload can do whatever somebody sitting on your keyboard can after it unlocks your session

antheas•3/29/24, 12:55 AM

so from a security standpoint, not being able to unlock your session is kinda mut

Aantheas you cant, your user has the permission to unlock your session

jstoneOP•3/29/24, 12:58 AM

Unlocking implies that there's a lock. When you have services like gnome-keyring storing your passwords, you don't automatically unlock them even though the files and the contents inside are owned by your user. You still need a security mechanism to ensure that not just anyone is accessing your resources. We already do this in several ways with the login screen before or after login, including A) what you know (password) B) what you have (smart card) C) what you are (biometrics such as fingerprint)

Jjstone *Unlocking* implies that there's a lock. When you have services like gnome-keyri...

antheas•3/29/24, 12:58 AM

the only way to unlock your keyring is to enter your password

Kid•3/29/24, 12:58 AM

Hellow :3
Is there any special setup required to use scrcpy?
I installed it via the bazzite welcome screen, but everytime I want open the App, nothing happens.

ujust just offers a install-scrcpyinstall-scrcpy command, but running that, wouldn't help, right?

antheas•3/29/24, 12:59 AM

its very easy to test this as if you login with a fingerprint, your keyring does not unlock

Aantheas the only way to unlock your keyring is to enter your password

jstoneOP•3/29/24, 12:59 AM

I was talking specifically about the login screen for those multiple authentication examples

antheas•3/29/24, 12:59 AM

something running on your device already has access to yoru files

antheas•3/29/24, 1:00 AM

so it being able to unlock the lockscreen for an attacker to do the same is not a security vulnerability

KKid Hellow :3 Is there any special setup required to use scrcpy? I installed it via ...

HikariKnight•3/29/24, 1:01 AM

yafti runs ujust install-scrcpyujust install-scrcpy
keep in mind scrcpy works only over usb cable unless you adb to your phone and enable the adb server (a phone reboot kills it)

antheas•3/29/24, 1:01 AM

the lock screen is meant to prevent physical tampering, if your device is owned at the user level, that's already the case

HikariKnight•3/29/24, 1:03 AM

@antheas let me unlock this random gnome computer
plug in gamepad and press button

this is similar-ish to the razer issue where you could elevate to admin on windows using a razer mouse on a machine that didnt have the driver installed

HHikariKnight @antheas let me unlock this random gnome computer *plug in gamepad and press but...

antheas•3/29/24, 1:03 AM

unfortunate bug with the library that keeps the computer awake

jstoneOP•3/29/24, 1:03 AM

We discovered this purely by accident in a distro that packaged software intended to handle an unrelated function. Remember, it was replicated by pressing a button with a gamepad.

antheas•3/29/24, 1:04 AM

the endpoint it used unlocks the lockscreen

jstoneOP•3/29/24, 1:04 AM

We don't know what other script authors are doing this purely by accident, nevermind out of malice

antheas•3/29/24, 1:04 AM

well, looking at the script it handles more than 8 DEs

antheas•3/29/24, 1:04 AM

soooo probably accident

jstoneOP•3/29/24, 1:05 AM

Lol

antheas•3/29/24, 1:05 AM

just report the bug and move on, maybe remove it from the image in the meantime

HHikariKnight yafti runs `ujust install-scrcpy` keep in mind scrcpy works only over usb cable ...

Kid•3/29/24, 1:05 AM

Thanks, I thought it would work kinda like KDE Connect ^^'

KKid Thanks, I thought it would work kinda like KDE Connect ^^'

HikariKnight•3/29/24, 1:06 AM

https://github.com/Genymobile/scrcpy/blob/master/doc/connection.md#tcpip-wireless

GitHub

scrcpy/doc/connection.md at master · Genymobile/scrcpy

Display and control your Android device. Contribute to Genymobile/scrcpy development by creating an account on GitHub.

HikariKnight•3/29/24, 1:06 AM

still worth knowing how to set it up

Kid•3/29/24, 1:07 AM

Ty, I'll read that

jstoneOP•3/29/24, 1:07 AM

@Kyle Gospo I can confirm that

loginctl unlock-session

loginctl unlock-session

does the exact same thing in KDE. So this probably should get fixed deeper in the stack like in systemd

HikariKnight•3/29/24, 1:07 AM

seems like they have an automatic mode now so it is a lot easier

Jjstone @Kyle Gospo I can confirm that `loginctl unlock-session` does the exact same thi...

j0rge•3/29/24, 1:08 AM

LOL VEGETA TIME

jstoneOP•3/29/24, 1:10 AM

One solution may be to harden the polkit rules to only accept an unlock-sessionunlock-session action if the user has been authenticated in some way

jstoneOP•3/29/24, 1:18 AM

Authentication is required to lock or unlock active sessions.Authentication is required to lock or unlock active sessions. https://github.com/systemd/systemd/blob/main/src/login/org.freedesktop.login1.policy#L341

GitHub

systemd/src/login/org.freedesktop.login1.policy at main · systemd/s...

The systemd System and Service Manager . Contribute to systemd/systemd development by creating an account on GitHub.

antheas•3/29/24, 1:18 AM

that one unlocks all sessions tho

antheas•3/29/24, 1:18 AM

sudo loginctl unlock-sessionssudo loginctl unlock-sessions

jstoneOP•3/29/24, 1:19 AM

Oh, that makes it better then

jstoneOP•3/29/24, 1:20 AM

https://github.com/systemd/systemd/blob/main/src/login/org.freedesktop.login1.conf#L309

jstoneOP•3/29/24, 1:24 AM

A) "I want to unlock all of the sessions on this computer!" B) "No, you need the secret password!" A) "Err just the one session, the only one you can expect to have on a desktop?" B) "Go ahead, I trust you bro"

Jjstone A) "I want to unlock all of the sessions on this computer!" B) "No, you need the...

Kyle Gospo•3/29/24, 1:27 AM

"this guy seems legit"

jstoneOP•3/29/24, 1:29 AM

The thing is, loginctl unlock-sessionsloginctl unlock-sessions does work as it should. It will do a polkit-based approach where I can just input my fingerprint. And it will do that without some grace period like with sudo, and it does it unconditionally even if I have just the one seat on my system. But no such prompt happens with

loginctl unlock-session

loginctl unlock-session

when it is just a single letter difference. If this isn't a security vulnerability, then why the hell is it security vulnerability-shaped?

jstoneOP•3/29/24, 1:32 AM

At the very least it is an inconsistency with systemd polkit rules. Rules which are packaged in the vast majority of distros these days and are relied upon by many desktops

FoxCry•3/29/24, 2:24 AM

Hey I've tried searching on this discord but don't seem to have a solid find. I've installed Bazzite on my Legion Go coming from Chimera and I'm loving it. It works so well!
Only thing I have to ask is there a way to control the fan? It seems to be stuck on full power all the time. Which isn't bad for gaming but it's annoying when I just want it to sit and download a bunch of games. I've seen LenovoLegionLinux by johnvanv2 but that doesn't list the Legion Go as compatible.
Apologies in advance if this is a stupid question!