Everyone loves themes. Doesn’t matter if it’s a text editor or a smart display in the kitchen, we want to be able to easily customize its look and feel to our liking. When setting up a new device or piece of software, playing around with the available themes may be one of the first things you do without giving it much thought. After all, it’s not like picking the wrong one is going to do something crazy like silently delete all the files on your computer, right?
Unfortunately, that’s exactly what happened a few days ago to [JeansenVaars] while trying out a Plasma Global Theme from the KDE Store. According to their Reddit post, shortly after installing the “Gray Layout” theme for the popular Linux graphical environment, the system started behaving oddly and then prompted for a root password. Realizing something didn’t seem right they declined, but at that point, it was already too late for all of the personal files in their home directory.
More Than Meets the Eye
So what happened? There remains some debate about exactly what caused things to go sideways, but one thing seems clear: the theme wasn’t designed to be malicious. While admittedly not very highly rated on the KDE Store, it still had nearly 3,800 downloads when [JeansenVaars] installed it, and we would have heard by now if all those folks had their home directories wiped out. A few Reddit users poked around in the source for “Gray Layout”, and found some potentially troubling lines, such as this one:
rm -Rf "$configFolder"
This would certainly trigger a Bad Day depending on the value of $configFolder
, but despite looking scary, others pointed out that this line actually comes from an upstream project and that there’s no obvious way this command could be directed towards the entire filesystem given the way the string was pieced together elsewhere in the code. But it was also noted that the theme in question was designed for an older version of KDE Plasma, and that there could be some weirdness going on there. Ultimately, it looks like [JeansenVaars] was just unlucky enough to stumble into an edge case somewhere.
But wait…you’re probably wondering why a graphical theme is running code in the first place. Surely a theme shouldn’t be responsible for anything more than changing some colors around and maybe swapping out the style of your title bars.
Well, you’d think so. It turns out that these so-called “Global Themes” actually have the ability to change pretty much the entire desktop experience, which includes installing new software components and running Bash scripts. Mix that with the ability for users to create and upload these themes for others, and you’ve got a recipe for trouble — intentional or otherwise.
Safety Not Guaranteed
In response to the Reddit discussion, the official KDE Mastodon account made a post which basically said they didn’t want any responsibility for the issue. After pointing out that Global Themes are created by the community, they go on to explain that by design they are able to run arbitrary code without warning. Given the security implications of this, the KDE team recommends users “exercise extreme caution” when downloading said content from the Store.
A few minutes later, the account made another post encouraging users to use the “Report” button in the KDE Store so they could “locate and quarantine defective software” as quickly as possible. The implication is clear: they don’t have the resources or methods to actually vet community-developed content as it comes in, so the users will have to do the leg work for them.
It’s a problem we’ve seen before with similar distribution platforms, such as Python’s PyPi and JavaScript’s NPM. Once you allow users to upload whatever they wish to a repository, it’s only a matter of time before somebody abuses the system. In the case of PyPi and NPM it’s usually in the form of “typo-squatting”, where malicious software is uploaded under a misspelled version of a popular package’s name. It the attacker is clever, they can even duplicate the functionality of the real package — with a nasty “feature” or two added in, naturally.
Hit the wrong key while typing out the name of the software you want to install, and you could end up getting yourself in a bad situation without even realizing it. Better moderation could nuke these named-alike packages before they ever go public, but that takes time and energy that open source projects don’t always have available.
Of course, the key difference here is that you don’t have to make a mistake to download a malicious KDE Global Theme. An attacker just needs to hide some insidious functionality in an otherwise attractive theme, and users would download it willingly.
What’s in a Name?
In response to the ongoing debate, KDE developer David Edmundson posted an article to his blog entitled Trusting content on the KDE Store. In it, he explains that the ability for Global Themes to execute arbitrary code is necessary, and can’t realistically be limited without reducing functionality. Rather than a technical issue, David believes this is more of a communication problem.
As he sees it the real issue is that users don’t expect something called a theme to be able to run code on their machine, and as such, don’t approach them with the same caution they would normal software packages. He believes a clearer indication that installing a Global Theme might make unexpected changes to your system would help differentiate them from more traditional “dumb” themes.
Long term, David says the KDE Store should have a separate section for anything that has the ability to run code on the user’s computer. So in other words, a theme that’s capable of installing new packages wouldn’t be listed alongside a pack of simple wallpapers. Even farther out, he says they’ll need to look into ways of auditing user-submitted content, as well as improve their sandboxing to limit what themes and plugins are actually able to do.
Frankly, it all sounds like a nightmare to us. We’re not in the business of telling folks what to do with their computers, but at least for the time being, we’d probably steer clear of any KDE Global Themes.
I mean, by definition a theme should not be allowed to mess with files in your systems, right? that’s a flaw right there.
Agreed, this is a security issue with KDE. Why would a “theme” need to modify user files?
It’s fine for installing a theme to add files and change your system’s state – to some extent that’s the point, after all – and the more a theme can change, the more “powerful” the feature is.
But doing that properly would mean downloaded themes are purely declarative, and the theme installer is a complex piece of software that can make all those changes in a safe, consistent, reversible way. But if KDE had to do it the proper way, they probably wouldn’t support themes at all, for the same reason Microsoft and Apple gave up on the idea in the 90s, which is that it’s too hard to be worth it.
But it probably needs to store settings somewhere, usually in your home directory where all your private files are…
The problem is that it _runs code_ in the “smart theme”. This is what the user wasn’t expecting, and what Dave E. correctly called out.
It’s 10x worse than simply writing config files or saving settings.
That said, I can totally see how it’s handy for making super-fancy theme packages that install applications, etc. But once you start down that road…
Maybe take the windows approach. ;-)
I wonder how Gnome handles this?
Oh yeah! It uses gconf….
I’m so glad I haven’t used KDE in decades. It wasn’t bad, but like most software these days, there’s ZERO architecture.
Allowing third party developed themes to execute code at the user level is such a no-brainer flaw that would have EASILY been identified with proper architecture documentation. Not just that, the fact that it’s even allowed to continue breaks all Linux security and design principals.
I’m a bit biased though, for the last two months all I have seen on Linux forums is, “HOW GREAT KDE PLASMA IS!” It got old fast. Like I want to see 15 posts a day of your crappy background and terminal theme that you spent 37 hours on tweaking, such a childish thing to share. It’s akin to sharing pictures of the meal you just got from Applebee’s because, “OMG 🤤 IT’S TOTES GOOD!” You developed something for your DE, share away – otherwise don’t waste your time.
That said, the tin-foil hat in me thinks that these vulnerabilities are actually purposeful and will be used to exploit one of the most secure operating systems in the world by state funded departments of the intelligence ilk. Sure, this one thing doesn’t seem so bad, but pile on 15 years of just “one more” and you’ve got swiss cheese.
“The implication is clear: they don’t have the resources or methods to actually vet community-developed content as it comes in, so the users will have to do the leg work for them.”
“In response to the ongoing debate, KDE developer David Edmundson posted an article to his blog entitled Trusting content on the KDE Store. In it, he explains that the ability for Global Themes to execute arbitrary code is necessary, and can’t realistically be limited without reducing functionality. Rather than a technical issue, David believes this is more of a communication problem.”
Yeah KDE has their security model upside-down – and they couldn’t care less about it! I strongly suggest you steer-clear of that KDE mine field.
>Yeah KDE has their security model upside-down – and they couldn’t care less about it! I strongly suggest you steer-clear of that KDE mine field.
Instinctively I agree. But I have to ask does anybody actually know what features KDE has that requires it? Maybe there is a good enough reason to accept it can run code and have to harden your system against that risk (or simply prevent any new themes from ever being used – stick to the default ‘safe’ stuff). I can’t really see any, but maybe there is a need for it I’ve not considered.
Any software the relies on the ability to run arbitrary code is shit software. Any developer or company who argues that it’s impossible to change writes shit software.
KDE is bad because the design is flawed and the architects are bad.
While I really want to agree I suspect it is more complex than that in real world use. Though for a DE I can’t see why it is required. Then there is also the question of how does it run the code? For instance many video games that support modding will run arbitrary code that is at least sometimes maybe even usually sandboxed. I’m not enough of a modder to care to dig into that.
This story doesn’t sound right.
Without being able to point to something definitive in the source code for the theme in question, its anyone’s guess what the user did to wipe out their personal files.
Is there any evidence that “/” could have been used? … are system folders missing?
For all we know, his cat walked on the keyboard.
Ultimately, whatever happened with JeansenVaars isn’t really the issue.
The important thing is that the investigation into those claims brought to light the ability of Global Themes to run arbitrary code, which not only has KDE confirmed, but they’ve said they can’t change without breaking their vision for the feature. KDE also confirmed there was an issue with the particular Global Theme, and pulled it from the store.
If a user wants to continue using this feature after all of this, that’s their choice. But now that we know the kind of mayhem they could potentially cause, hopefully people will give a little more thought into installing them.
Might be time to switch.
I was a huge KDE fan back in the KDE 1-3 days. It got so bloated with v4 I switched away to lightweight window managers and didn’t come back till about a year ago.
Since returning I have been frustrated with the theming. It’s just too heavy. I just want to be able to change the colors of the various UI pieces and save those to a theme. Having a nice set of pre-installed themes is a good bonus and to make those themes sharable/browsable through a “store like” interface makes it modern.
Now themes have icon sets? I just love how I can change the theme and the new one turns out not to include an icon for something so now a shortcut on my desktop or an item in the menu has the broken icon look.
The way it actually works today.. you HAVE to have a theme installed. Then some offer color customization, some don’t . I didn’t even realize there was a way to customize colors short of editing a theme’s CSS at first because none of the ones that came installed offered that.
It seems to me KDE jumped the shark.
I wonder how Trinity Desktop is doing…
The price we pay to make individualism a central theme, even if it makes for more work down the line.
Right now, KDE works great for me. I too was a fan early, then V4 came along and I switched away (gotta love Linux… Try that with Windoze). The only thing I change is the background picture, and the menu back to classic. Of course I add application shortcuts and such but that isn’t theming. My goal in a desktop is to run applications, so all the bling does ‘nothing’ for me.
There’s good reason to run any embedded scripts inside a jailed environment where the scope of access can be restricted. If only such environments existed on every major modern *nix variant.
Just change the name to “OS Mod” or similar that reflects what it is doing.
Design that screams US! no matter how many noodley appendages are attached. Taking out the generics of mass production even if it’s software.
They need to break desktop themes from desktop behaviors. A theme should never be able to execute arbitrary code.
Stuff like this is why many people like Apple’s approach where apps are (correction: were – thanks EU!) subjected to at least some level of scrutiny and generally sandboxed off from doing most nasty stuff. At least KDE removed it promptly, and the EU haven’t denied them that ability.
So much of the open source world relies not just on trusting people not to be evil, but also not writing bugs. Amazingly, it generally works, but we do need to recognise how much we rely on trust. Or make everything run in sandboxes…
Imagine if this wasn’t an edge case, and 1000s of users were hit by it on an update.
Wow. Simping for Apple’s walled garden even here on Hack a day. So sad.
Imagine if all those old Apple devices could be kept out of the trash as OctoPrint hosts, eReaders or something like that. I have an iPad2 here in mint condition, can’t really make anything useful of it!
I get why some people would like their walled garden. But it doesn’t have to be so strict. Just hide a setting deep down in the advanced settings menus for allowing side loading. Then Apple or whoever the manufacturer is can police their own marketplace as thoroughly as they like but the person who bought the hardware can still have the final say. The tech-ignorant 99% would never even notice the difference!
Everybody should have one walled garden type device.
So they appreciate all the others.
Not apple though. Roku or Fire are much cheaper and produce the same frustration.
The last apple product I bought came with 16K or RAM…That cost extra. Once they abandoned open expansion slots I noped the F out of the ecosystem. The Lisa was just too expensive anyhow.
With the number of dodgy apps that do get through Apple’s filters and Apple’s own mistakes it is hardly a real feature to claim superiority with… If anything the nature of Opensource means mistakes and malicious intent is generally fixed and caught easier – many many more eyes to spot something fishy and then anybody with the skills can look for the why. Obviously Apple don’t do a really terrible job most of the time, but if and when they next create a big flaw and the scumbags notice first as there is so little variety in the world of Apple basically everyone is at risk – I’d rather have a bit more variation in the open source default style – not only does it help catch the weird edge cases between the many bits that make up the software stack but it means that flaws in one part is hard to reliably escalate leveraging the other parts as they are quite likely not there.
If you stick with the bigger more popular projects that are open source odds are very good it is fine, especially if you keep to installing only from the package manager and use a LTS ultra stable focused distro rather than the cutting edge rolling releases.
From the moment they started appearing I have always given any of these desktop “installables” an extremely wide berth for this and other reasons.
“ When setting up a new device or piece of software, playing around with the available themes may be one of the first things you do without giving it much thought”
Well, no, at least for this grumpy old curmudgeon. Themes are pretty much ephemeral and spending time fiddling with how things look for this particular release of any software package is a big waste of time IMHO. Keybindings for vi and emacs and .bashrc well ok.
Indeed, the only times I’ve played with such things is for a family friend who is now deceased but really needed lots of tweaks for comfort (They insisted on Windoze which made it even less fun as I’d not really used windows and its accessabilty stuff was and probably still is a joke at the time)…
vi AND emacs?
Expect to be burned at the stake by both groups.
I am agreement. No playing with available themes here. Other than setting the background to a proper picture with black background color. My mind goes to getting access to the ‘applications’ that I am going to be using and making sure they work….