Page MenuHomePhabricator

Disabling Baloo file indexer
Closed, WontfixPublic

Description

Repost:

Automated browser downloads + bug ridden FS indexing parsers like KDE Baloo are a serious threat to systems and a really easy way to mount RCEs on desktops.

AFAIK Baloo is disabled by default but I'm not sure. Can you confirm that it is if its not the case? and of course we need to keep an eye out for it on Whonix Stretch.

https://phoronix.com/scan.php?page=news_item&px=Linux-Desktop-Win10-Security1
https://fosdem.org/2017/schedule/event/linux_desktop_versus_windows10/attachments/slides/1730/export/events/attachments/linux_desktop_versus_windows10/slides/1730/fosdem_linux_desktop_security.pdf

Details

Impact
Low

Event Timeline

HulaHoop created this task.Feb 11 2017, 3:38 AM
JasonJAyalaP added a subscriber: JasonJAyalaP.EditedJun 16 2017, 9:34 PM

It appears that baloo is disabled by default. On a fresh WS:

balooctl status

it says disabled.

Baloo is installed by default in both GW and WS

If baloo shouldn't be on by default in Whonix, then lets not include the baloo package (and 2 dependencies?) at all.

dpkg -l | baloo

Hmm but apt-get remove shows that dolphin and some whonix packages (??) depend on it.

Patrick added a comment.EditedJun 16 2017, 9:41 PM

Whonix does not depend on baloo directly. It's a dependency of dolphin. Therefore cannot be avoided.

reverse-depends baloo-kf5

TODO:

  • add a new whonixcheck test that tests if baloo is disabled and warns if it is enabled (now or later)
  • or lazy reassign the ticket to Debian version 10 codename Buster so we manually recheck then

It's off by default. If someone enables it by choice, should we warn them to turn it off? Warn them that it's another attack vector? Is it a big enough security risk? whonixcheck shouldn't be in charge of checking and warning the user about most modifications they make that may be attack vectors.

Compromise: Kick the problem to deb 10 and see if they've turned it on by default. Worry about it then.

JasonJAyalaP lowered the priority of this task from Normal to Low.
JasonJAyalaP changed Impact from Normal to Low.

JasonJAyalaP (Jason J. Ayala P.):

JasonJAyalaP added a comment.

It's off by default. If someone enables it by choice, should we warn
them to turn it off? Warn them that it's another attack vector? Is it
a big enough security risk?

Good question. My idea was to make sure it stays disabled in Debian 10
based Whonix later on. Perhaps that doesn't belong into whonixcheck but
would more be part of an automated test suite.

Compromise: Kick the problem to deb 10 and see if they've turned it
on by default. Worry about it then.

Right.