Page MenuHomePhorge
Create Task
Maniphest T630

Disabling Baloo file indexer
Closed, WontfixPublic
Actions

Description

Repost:

Automated browser downloads + bug ridden FS indexing parsers like KDE Baloo are a serious threat to systems and a really easy way to mount RCEs on desktops.

AFAIK Baloo is disabled by default but I'm not sure. Can you confirm that it is if its not the case? and of course we need to keep an eye out for it on Whonix Stretch.

https://phoronix.com/scan.php?page=news_item&px=Linux-Desktop-Win10-Security1
https://fosdem.org/2017/schedule/event/linux_desktop_versus_windows10/attachments/slides/1730/export/events/attachments/linux_desktop_versus_windows10/slides/1730/fosdem_linux_desktop_security.pdf

Details

Impact
Low

Event Timeline

HulaHoop created this task.Feb 11 2017, 2:38 AM
Herald added a project: Whonix. · View Herald TranscriptFeb 11 2017, 2:38 AM
Herald added subscribers: entr0py, WhonixQubes, Patrick. · View Herald Transcript
Patrick added projects: Whonix 14, kde.Feb 11 2017, 3:29 AM
HulaHoop added a comment.Apr 13 2017, 7:23 PM

https://community.kde.org/Baloo/Configuration

JasonJAyalaP subscribed.EditedJun 16 2017, 7:34 PM

It appears that baloo is disabled by default. On a fresh WS:

balooctl status

it says disabled.

Baloo is installed by default in both GW and WS

If baloo shouldn't be on by default in Whonix, then lets not include the baloo package (and 2 dependencies?) at all.

dpkg -l | baloo

Hmm but apt-get remove shows that dolphin and some whonix packages (??) depend on it.

Patrick added a comment.EditedJun 16 2017, 7:41 PM

Whonix does not depend on baloo directly. It's a dependency of dolphin. Therefore cannot be avoided.

reverse-depends baloo-kf5

TODO:

  • add a new whonixcheck test that tests if baloo is disabled and warns if it is enabled (now or later)
  • or lazy reassign the ticket to Debian version 10 codename Buster so we manually recheck then
JasonJAyalaP added a comment.Jun 16 2017, 9:29 PM

It's off by default. If someone enables it by choice, should we warn them to turn it off? Warn them that it's another attack vector? Is it a big enough security risk? whonixcheck shouldn't be in charge of checking and warning the user about most modifications they make that may be attack vectors.

Compromise: Kick the problem to deb 10 and see if they've turned it on by default. Worry about it then.

JasonJAyalaP lowered the priority of this task from Normal to Low.Jun 16 2017, 9:30 PM
JasonJAyalaP edited projects, added Debian version 10 codename Buster; removed Whonix 14, Whonix.
JasonJAyalaP changed Impact from Normal to Low.
Patrick added a comment.Jun 16 2017, 11:17 PM

JasonJAyalaP (Jason J. Ayala P.):

JasonJAyalaP added a comment.

It's off by default. If someone enables it by choice, should we warn
them to turn it off? Warn them that it's another attack vector? Is it
a big enough security risk?

Good question. My idea was to make sure it stays disabled in Debian 10
based Whonix later on. Perhaps that doesn't belong into whonixcheck but
would more be part of an automated test suite.

Compromise: Kick the problem to deb 10 and see if they've turned it
on by default. Worry about it then.

Right.

Patrick closed this task as Wontfix.Nov 20 2018, 3:59 PM
Patrick claimed this task.

https://forums.whonix.org/t/user-poll-xfce-vs-kde-kde-deprecation-considered/6235

Whonix OLD Issue Tracker · PLEASE DO NOT POST NEW TICKETS HERE · OLD Issue Tracker - Unread Notifications · OLD Issue Tracker - Feed · OLD Issue Tracker - Open Issues · NEW Issue Tracker · Homepage · Blog · Forum · Legal · Imprint · Privacy Policy · Terms of Use · Disclaimer