Category: KDE

On my systems I noticed that some services like kglobalaccel are not automatically started when logging into the system. This is on the one hand rather annoying on the other it could indicate a bug in our setup. So this morning I started to look into the issue with kglobalaccel.

Kglobalaccel is a service which is supposed to get started through dbus. My installation prefix is “/opt/kf5” and so the service file gets installed to “/opt/kf5/share/dbus-1/services/org.kde.kglobalaccel.service” – that looks fine. After some investigation I figured out that dbus-daemon looks in $XDG_DATA_DIRS as a search path. Our startkde script adjusts $XDG_DATA_DIRS to include /opt/kf5/share before launching the dbus daemon. But when looking at the environment of the running dbus-daemon one could see the problem: it doesn’t use the set environment variable. The reason is obvious: dbus is nowadays started before the desktop environment gets started.

This means D-Bus doesn’t know where to look for the service files. To fix this create a file “/etc/dbus-1/session.d/plasma-next.conf” with the following content (adjust path as needed):

<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
  <servicedir>/opt/kf5/share/dbus-1/services/</servicedir>
</busconfig>

Save, logout, login and kglobalaccel and others should auto start.

With frameworks 5 the translation system changed quite a bit resulting in your application not being translated without any adjustments. In this blog post I want to highlight how you can test whether your application loads the translation correctly and how to fix it if not. First of all I recommend to read the general translation documentation for the KI18n framework.

Like with kdelibs4 there is a test language which wraps every translated string “foo” to “xxfooxx”. This language needs to get installed. For that follow the following steps:

mkdir i18n # create a directory for the checkout
cd i18n # change into it
svn co svn://anonsvn.kde.org/home/kde/trunk/l10n-kf5/scripts # check out scripts
svn co svn://anonsvn.kde.org/home/kde/trunk/l10n-kf5/x-test  # check out test language
./scripts/autogen.sh x-test # generate build system for test language
mkdir x-test-build # create build dir for test language
cd x-test-build # and change into it
cmake -DCMAKE_INSTALL_PREFIX=/opt/kf5/ ../x-test # adjust /opt/kf5/ to your kf5 install dir
make
make install

With these steps the language gets installed. Now you can run your application to test with the LANGUAGE environment variable. For this blog post I use kinfocenter as the test application:

LANGUAGE=x-test kinfocenter

As you can see kinfocenter is not yet translated properly:

Aus i18n-kf5

The first step is now to connect the application to the catalog. The catalog is the name of the .pot file in Messages.sh – in the case of our test application that is “kinfocenter”.

This is being done with the following call:

KLocalizedString::setApplicationDomain("kinfocenter");

This has to be done before calling any i18n call, so most likely it is in your main function and before the construction of QApplication. After doing this change our kinfocenter looks like that:

Aus i18n-kf5

That’s better but there is still a lot of untranslated code around. The reason for that is kinfocenter loads libraries to display the content and those libraries are not yet connected to the catalogs. In kdelibs4 time one did that through the insertCatalog function, now it needs to be done in the library.

The way is to add a definition for TRANSLATION_DOMAIN with the catalog as value in the CMakeLists.txt of the library. So for the info module in kinfocenter that’s:

# KI18N Translation Domain for this library
add_definitions(-DTRANSLATION_DOMAIN=\"kcm_infosummary\")

And now our kinfocenter looks like that:

Aus i18n-kf5

Of course one needs to do these adjustments for each of the libraries.

Last but not least one needs to mention ui files. For those one needs to use ki18n_wrap_ui in the CMakeLists.txt.

The 14.04 release of Unity unfortunately shipped with a few security vulnerabilities in the newly introduced screenlocker. As we will also ship a reworked screenlocker in Plasma Next I started to do another code audit, add more unit tests and try to make the code easier to understand and maintain. Furthermore I think it’s a good reason to explain how screenlockers work in general on X11 (and why it is easy to introduce security vulnerabilities) and the screenlocker in Plasma Next in particular. To make one thing clear: this post is not meant to shame Ubuntu for the issues. Some of these whoopies would have been possible in Plasma, too, and that’s the reason why I looked at the code again in more detail. On the other hand I think that our screenlocker in Plasma Next could be a solution for Unity’s use cases and I would appreciate if Ubuntu would adpot our solution.

What a screenlocker should protect

Before looking at how it works in X11, I shortly want to discuss what a screenlocker can protect and what is out of scope for a screenlocker. In general there are two tasks for a screenlocker:

• Blocking input devices, so that an attacker cannot interact with the running session
• Blanking the screen to prevent private information being leaked

The lock is hold till an authorization is provided (e.g. password). I’ll discuss in more detail what these authorizations are in the case of Plasma.

There are a few things the screenlocker cannot protect against:

• Evil software already running under the user’s account
• Attackers having access to a tty running under the same user

To explain the first problem we must remember that X11 is very bad from a security point of view. This adds a general limitation to what can be protected. Getting a key logger with X11 is extremely trivial, there are easier ways to get the password than to try to attack the locker.

The second problem goes in the same direction: if someone has access to a tty, he can install an X11 key logger. It will not get the password, but still it’s a huge problem. Also the attacker could reconfigure the locker or run a debugger on the lock process to just end the locker. Some of these problems can be mitigated by the distribution through hardening (e.g. SELinux).

I plan to harden the system against these two problems in a future release. Though given the general problems of X11 it will never be possible to completely solve these two problems on X11.

How screenlockers work in X11

X11 doesn’t really know the concept of a screenlocker. Thus one needs to use the concepts of X11 to try to get something like a screenlocker. The main features are grabbing the keyboard and grabbing the pointer. What’s important to know about these two X11 features is that only one X Client is allowed to grab the keyboard and pointer. If the keyboard or pointer is already grabbed the lock cannot be established. For example if a (context) menu is open the screen cannot be locked or if Present Windows is active.

Having the keyboard and pointer grabbed are essential to fulfill the first task of the screenlocker. This also shows why it’s so difficult to get a locker right. As soon as the process grabbing the keyboard goes away the lock is released. As soon as that happens the screen is unlocked. Thus there is an easy scenario to attack a screenlocker: get the lock process to crash and restart and try to grab the keyboard before the screenlocker is able to re-install the grab.

This is the problem Unity run in and to be honest we also almost run into this issue in the past. Thus a screenlocker implementation must be able to hold the keyboard grab during a crash. A lock file might not be sufficient. I will explain later how we made the screenlocker in Plasma crash resistant, so that the session will never be unlocked.

The second task is blanking the screen. This is done by creating a lock window and raise it on top of all windows and ensure that the lock window is always on top of all windows. Given the description one can notice that this is kind of a fragile process. Assume one has two processes trying to be on top of each other: they will constantly try to raise on top of the other. Something I once experienced by having the screen locked during session startup resulting in a race between login and lock screen. Again Wayland will improve the situation as the compositor (in our case KWin) will be aware of the screenlocker and will ensure the restrictions.

Screenlocker architecture in Plasma Next

The architecture for locking screens got simplified in Plasma Next. Support for screen savers got completely removed (fear not: we have plans for replacement, probably not in Plasma Next, but in a future release) and that helped a lot to trim down the architecture.

In Plasma Next the locking consists of three interacting processes:

• KSLD in KSMServer
• kscreenlocker_greet (greeter)
• kcheckpass

While this might sound complex to have three processes it’s following the unix philosophy of one tool, one task. So let’s look at what the processes do.

KSLD

KSLD (for KScreenLocker Daemon) is a library used by KSMServer. KSMServer is our session server which gets started during session startup and keeps the session alive. If it crashes the session dies with it and you are returned to the login screen. KSLD is the main component of the screenlocker: it listens to the activation signal (e.g. global shortcut or logind), installs the X11 lock, blanks the screen and waits for the authorization to unlock the screen again.

At the moment KSLD has three authorization mechanisms:

• User configurable grace time: any user input during the grace time interval immediately unlocks the screen
• logind: listens to Unlock signal on the session’s object
• greeter process: exits with exit code 0

The most complex authorization mechanism is the greeter. For that the greeter process needs to be started and is monitored by KSLD. If the greeter process crashes the lock is kept and the greeter process is started again. The authorization to unlock is provided by the exit code of the process. If it exits with 0 the screen gets unlocked, with any other code the greeter gets started again.

Of course we need to show the greeter – so far the screen is blanked and no window is allowed to go above the blanked window. To achieve this the greeter can set a special window property on its windows and ksld will raise those above the locker and forward input events to this X client.

Security note: this cannot protect against malicious software already running on the user’s session. A malicious software could set the same property and thus read the input events. I intend to change this for a future release to have a socket communication between ksld and the greeter to pass window information and input events. Obviously it’s a good idea to use the Wayland protocol for this task – also on X11.

kscreenlocker_greet

The second process in our architecture is kscreenlocker_greet which got partially already explained in the previous section. In Plasma it’s responsible for rendering the unlock screen interface and the session switching interface. The user interface is implemented using QML allowing us to easily adopt to new use cases – e.g. the unlock screen in Plasma Active is just a different QML package.

For future releases we have some ideas to improve the experience by allowing to run our normal wallpaper plugins (bringing back animations) and allowing some selected plasmoids to go on the lock screen. Of course we need to white list the plasmoids which are allowed to go on the lock screen to not expose private information or even allow to start processes. It would be a bad idea to add a terminal emulator as a plasmoid.

kcheckpass

As mentioned our architecture is following the “do one thing, do it right” approach and the task of the greeter is only to provide the user interface. It does not perform any password verification. For that it uses kcheckpass, which is a small terminal application to verify a provided user password. If the user clicks the unlock in the greeter kcheckpass is invoked and the password is passed to kcheckpass through a binary socket protocol. Kcheckpass communicates with PAM to verify the password and can pass back an authentication success, authentication error or further information for PAM modules needing further interaction like a fingerprint reader. These messages and authentication failure are passed back to the greeter ui. If the authentication is successful the greeter exits with exit code 0.

This concludes the look on the various components. I would encourage all readers to try to break the architecture before we have a release. I’m quite confident that the architecture is secure and also more secure than what we had in 4.x.

XScreenSaver

Last but not least I want to share some thoughts on XScreenSaver. Whenever an issue arises like the ones in Unity we can hear people claiming one should use XScreenSaver because it’s way more secure. Now personally I don’t believe in silver bullets – especially not if it comes to security. In the beginning of this long blog post I stated two tasks a screenlocker needs to provide and XScreenSaver can fail with the second: the screen content can be exposed. Consider for example the linked screenshot. For a screen saver of the last millennium this was a suitable solution, but not for an implementation where we want to focus on security.

As we can read in the section On Toolkit Dialogs the security of XScreenSaver is based on the fact of not using a GUI toolkit. While the argumentation sounds good, it fails to see the need of today’s desktop environments. Providing an unlock dialog which can be styled with XLib might be a solution for the 90ies but not in a world where we want to provide an awesome user experience. Today users also expect the current time, battery state and many more information on the lock screen. We need to provide accessibility features which is not possible in XScreenSaver. We need to use proper idle mechanism shared with other applications. We need DBus integration, inhibition (XScreenSaver doesn’t support this!) and logind integration. Not using toolkits also means to have to fix bugs which the toolkit would solve for you, this is again increasing the risk of broken code and crashes in the daemon. Just consider this piece of code I found in XScreenSaver:

/* It turns out that if we do setlocale (LC_ALL, "") here, people
    running in Japanese locales get font craziness on the password
    dialog, presumably because it is displaying Japanese characters
    in a non-Japanese font.  However, if we don't call setlocale()
    at all, then XLookupString() never returns multi-byte UTF-8
    characters when people type non-Latin1 characters on the
    keyboard.
   
    The current theory (and at this point, I'm really guessing!) is
    that using LC_CTYPE instead of LC_ALL will make XLookupString()
    behave usefully, without having the side-effect of screwing up
    the fonts on the unlock dialog.
   
    See https://bugs.launchpad.net/ubuntu/+source/xscreensaver/+bug/671923
    from comment #20 onward.
   
      -- jwz, 24-Sep-2011
*/

Now if you consider the architecture I explained the “problem” of the toolkit doesn’t matter at all. We are running an interpreted (QML) language which heavily uses OpenGL without introducing any security risks by using separate processes. If the application which holds the lock (and also heavily uses Qt) crashes the complete session goes down. In turn I think that the argumentation provided by the XScreenSaver maintainer doesn’t hold. Even more I haven’t seen anything about crash resistance like we have in Plasma to have the session getting killed if the lock process crashes. I’m not saying that this doesn’t exist (the code base is very large and I haven’t done a full audit) but I haven’t seen anything in the very prominent documentation about why it’s better.

Of course one could ask why we don’t work on XScreenSaver to improve it and make it work for our use cases. I don’t think that this is possible and at least I would not even try to. It’s quite clear that code using toolkits is not wanted. I also doubt that the needs of desktop environments like Plasma, GNOME Shell or Unity are understood at all. Let me quote the FAQ:

KDE suffers from the same brain damage as GNOME, above.

The only sensible (and secure) way to use a screen saver under KDE is to turn off KDE’s built-in screen saver, and use xscreensaver instead.

With that attitude I think it’s quite obvious why at least I see zero chances to use XScreenSaver in any desktop environment.

This weekend I read a blog post by Robert Ancell from Canonical claiming that the display server doesn’t matter . To quote the direct message:

The result of this is the display server doesn’t matter much to applications because we have pretty good toolkits that already hide all this information from us.

Now I don’t know how to put it, the best description is that I’m shocked that Canonical is still not seeing the problems they created by having multiple display servers. I do not know how much experience Robert has with making applications work with multiple display servers, but I at least have this experience as shown in my blog post on making KF5 not crash on Wayland. Granted in this blog post I write that “basically if your application compiles on frameworks it will run on Wayland out of the box”. But that is a strong simplification of the issues which can be present.

With this blog post I will prove Robert’s claim that the display server doesn’t matter due to the toolkit wrong by contradiction. I could just stop here, because I already wrote that KF5 applications were crashing on Wayland prior to me starting to fix these issues. If the toolkit would just abstract away all the display server differences our applications libraries would not have crashed.

Also the assumption that the toolkit behaves the same is just wrong. One of the issues I fixed was Qt returning a nullptr from QClipboard::mimeData on platform Wayland while it returned a valid pointer on all other platforms. It’s obviously an application bug but the documentation doesn’t say that there could be nullptr returned or not. There can be hundreds or thousands of such small behavior differences. An application developer is not able to ensure that the application is working correctly on a distro-specific display server. If the application developer recieves a crash report for such an issue, the developer cannot reproduce the issue – not even on running the same distro with another DE – cannot write a failing unit test, cannot integrate it into the CI system. The most sane thing he could do is declaring that proprietary display server as unsupported. And this should show the problem: each developer will see issues caused by Mir – it doesn’t matter whether it’s in the toolkit, application libraries or in the application itself. Thus an application developer will have to care about the display server. The applications will have to decide whether they want to support Ubuntu.

Another example is different behavior. Look at this screenshot:

Aus Weston

This is the KColorDialog running on Wayland and when I click the pick color button nothing happens and the debug output just says: “This plugin does not support grabbing the keyboard”. It uses QWidget::grabKeyboard – functionality provided by the toolkit. Again the documentation does not tell that it’s not supported on all platforms, it also doesn’t offer API hooks to figure out whether grab is supported. What will be a possible fix for this?

#if Q_OS_LINUX
if (!QX11Info::isPlatformX11()) {
    colorPickButton->hide();
}
#endif

We just hide the button if we are building for Linux but are not on X11. Why is that wrong? Well what if other platforms still support it. So a better way?

#if Q_OS_LINUX
if (QGuiApplication::platformName().toLower().contains(QStringLiteral("wayland"))) {
    colorPickButton->hide();
}
#endif

It’s better, it only hides it for Wayland. But what if the same feature is also not supported on Mir? How should a developer find out to fix that problem properly? How does a developer figure out what the platformName for Mir is? The documentation doesn’t know anything about Mir, the Qt sources (yes I have them on my system) don’t know anything about it. How long will it take till a user reports that the button is broken? Will the user tell that it’s Mir and not a normal system? After all our bug reporting tool reports “Ubuntu” for both Ubuntu and Kubuntu. And on Kubuntu, which the dev might be running, it’s working just fine.

Another example from a patch I prepared to fix an issue:

 #if HAVE_X11
     d->display = qgetenv("DISPLAY");
+    if (d->display.isEmpty()) {
+        // maybe we are on Wayland?
+        d->display = qgetenv("WAYLAND_DISPLAY");
+        if (!d->display.isEmpty()) {
+            // don't go into the xauth code path
+            return;
+        }
+    }
 #else

Now will that code work with Mir given the way it is written? Obviously not. Could I have fixed it? Obviously not, because I have no idea whether Mir has a system like these env variables. What will happen if someone tries to fix it for Mir? I expect the maintainers to tell that this doesn’t scale and needs to be reworked. For two it’s a solution to just test one after the other, but with three systems it doesn’t scale any more. It becomes too complex. So yes the maintainer of this application library has to care about the fact that there are multiple Display Servers.

In summary: Canonical created a huge problem by introducing another Display Server and it’s affecting all of us and they are still in denial state. It’s not a simple the toolkit will solve it. It can cause issues everywhere and that affects the development and maintenance costs of all applications. My recommendation to application developers is to never accept patches for this mess Canonical created. If they want that fixed, they should do it in their downstream patches. Distro specific problems need to be fixed in the distros. I certainly will not accept patches for the frameworks and applications I maintain. This is not for political reasons as it’s so often claimed, but for technical, because I cannot test the patches (Mir not available on Debian) and our CI system cannot build it.