What distribution independent plugin + store system is Cosmic going to provide?
No idea, but seeing the features they are going to be packing, I’m not going to need any plugins lol
Things like these make my blood boil.
This is just another instance of bypassing proper package management, but this time, with disastrous consequences. Third-party stores, especially ones that anyone can upload anything to, are a stupid idea.
Flathub, npm, pip, gem, cargo, yarn, snap store, KDE store/Discover… How many package managers does one need on one’s computer? It’s all cancer. Don’t use them. Stick to the official Arch repos and, if absolutely necessary, the AUR (and be very careful with the AUR).
11 Likes
- Yes.
3 Likes
That’s disconcerting.
Thanks for drawing attention to this.
3 Likes
I’m surprised no one has mentioned this. The interesting thing is a clever person could incorporate something like this into an SDDM theme, which does require root privileges and could inflict additional damage besides ‘only’ deleting the user’s $HOME directory.
1 Like
Afaik SDDM runs as its own user (sddm) without root. SDDM isn’t bound to plasma and said plugins use plasma facilities to e.g. access the CLI to execute commands.
So that’s an interesting idea, but I would like to see some proof before accepting that claim.
It isn’t that nobody ever thought about it and we discover some new loophole. Plasma extensions executing commands on the local machine is intended behavior. There are literally widgets that provide buttons for “execute local command”.
1 Like
It was a bit of a theoretical idea more than anything. However, both downloading and applying SDDM themes do require a user’s elevated privileges. Not to mention, by your own admission, it would take very little for one to access the CLI to execute something.
Once they are installed and applied they no longer require a user’s privileges, but by then it would be too late.
Yes, I do understand this, hence my previous comment.
I never said nor implied either of these. I was just surprised no one mentioned it; like I said.
1 Like
The Gentoo wiki explicitly states:
By default SDDM runs in X11 as the root user. This may be considered a security risk.
Since x11-misc/sddm version 0.20 it is possible to run SDDM in X11 rootless mode instead.
To accomplish this the Display server configuration must be overridden using the local /etc/sddm.conf.d/override.conf.
https://wiki.gentoo.org/wiki/SDDM/en#override.conf_and_X11_rootless_mode
The Arch wiki:
Note: As of SDDM version 0.20, Wayland sessions are listed and can be started from SDDM, but the SDDM greeter itself still runs in X11 mode by default, although an experimental Wayland greeter can be enabled.
The section on running SDDM rootless:
SDDM can start both Wayland and X11 rootless, since sddm 0.20.0.[4]
The method is the same for both of them: create a new config file…
Also note:
Warning: Running a Wayland compositor rootless is experimental.
6 Likes
2 Likes
The user must elevate to apply SDDM settings, but that doesn’t tell us what is happening without code review. Does that temporary elevation execute arbitrary theme code? I want so see proof for that.
It takes very little to execute CLI in the plasma shell environment, I don’t have the knowledge to judge how that applies to SDDM.
Just checked, runs as root here too. OK, that’s bad but apparently people knew. So again this is not a new loophole, people were aware of that fact - as should the devs.
Again, it’s an interesting idea, and I would like to have a follow up on that, but so far it feels we are deriving a claim from secondary sources without anybody having any clue what is actually possible.
1 Like
I actually installed that theme and tried it out but ended up liking other ones I installed more so I removed it. Nothing happened to me
3 Likes
Same here, when I was testing KDE 6 with Fedora 40’s Pre-release. There was some kind of bug with applying global themes, and I couldn’t get any to work. Guess I dodged a bullet 
kinda shocking, considering that this was one of the earliest plasma 6 themes available.
1 Like
I got damn lucky with ALL my current theme components, other than the blur from Kvantum which we expected not to work all work perfectly.
I was basically just installing all the new ones since there weren’t many for plasma 6
I remember there was one called “nothing” that actually did absolutely nothing, maybe it was a joke
3 Likes
That this happened is absolutely terrible 
; I understand that KDE has limited resources to be able to vet every theme that gets posted in their themes store, but there must be a way to do this somehow… (e.g. run and test each theme in a VM or sandboxed environment)
Some points to consider:
-
Always make backups of your (most important) files, even if you’ve never experienced catastrophic data loss for whatever reason - you never know what could happen, and how. (How many users would ever think that downloading a global theme could/would lead to the wiping out of all data? A cautious IT professional, perhaps…)
-
Considering that Linux is well-known for open source software that is auditable, is often tested in the repos, and has a reputation for security, it’s all too easy to develop a false sense of security and let down one’s guard in general when using Linux in a wide variety of situations regardless of circumstance. Sometimes, we get a bit complacent, and take the benefits of Linux for granted. I’m not trying to say or imply that the user that had all their files deleted was guilty of doing that, but still - it’s something to consider. Linux is excellent, sure… but far, far from perfect. (Bugs notwithstanding, of course.)
-
As mentioned above, it’s generally a good idea to only download software from select repos.
4 Likes
I missed out on all the fun stuff! Couldn’t get that one installed, either.
1 Like
Additionally, if you want to use themes, it’s probably a good idea to download manually so you can inspect them beforehand. KDE’s interface for installing global themes is very automated.
2 Likes
Eventually it comes down to money. A mere thousand people donated in the plasma 6 fundraiser. What does that tell us?
It’s also worth pointing out that deleting data is only one possible outcome. The data could also be zipped up and send to Timbuktistan for further review™ without deleting anything.
2 Likes