You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In the udev rules section of the docs it mentions that udev needs to qtile in in $PATH and so recommends editing the udev script to make sure it references the qtile install in your home folder.
This lets anyone with write access to the user home folder run arbitrary code as root by changing qtile or any of the python source in $HOME/.local/lib/python3/site-packages. Seems like there should be a way that doesn't require this but still lets people install qtile in their home folder? This looks like a possible target for malware to run code as root without requiring the user to type their password.
Version
0.25.0
Backend
Wayland (experimental)
Config
No response
Logs
No response
Required
I have searched past issues to see if this bug has already been reported, and it hasn't been.
I understand that people give their precious time for free, and thus I've done my very best to make this problem as easy as possible to investigate.
The text was updated successfully, but these errors were encountered:
Sure, the rules file could do all this stuff itself, but it's another entrypoint to distribute and manage. IMO, if someone can write to your home directory, the game is already over: https://xkcd.com/1200/
I would take a patch that implemented a separate udev rules script, as long as you promise to go pester all the distro packagers as well to include it :)
Issue description
In the udev rules section of the docs it mentions that udev needs to
qtile
in in$PATH
and so recommends editing the udev script to make sure it references the qtile install in your home folder.This lets anyone with write access to the user home folder run arbitrary code as root by changing
qtile
or any of the python source in$HOME/.local/lib/python3/site-packages
. Seems like there should be a way that doesn't require this but still lets people install qtile in their home folder? This looks like a possible target for malware to run code as root without requiring the user to type their password.Version
0.25.0
Backend
Wayland (experimental)
Config
No response
Logs
No response
Required
The text was updated successfully, but these errors were encountered: