cross-posted from: https://lemmy.ml/post/13397700
Malicious KDE theme can wipe out all your data
Or is it just buggy?
i can do that too with --no-preserve-root but you don’t see me bragging.
We really need better sandboxing for the desktop. I see why scripting can useful for themes, but why the heck would they have so much fs access?
I thought wayland was supposed to improve security. Were the past 18 years a lie?
Wayland isn’t a product. You’re gonna have to get your mind out of capitalism to understand the free software community.
This is different from the Wayland security model, as Wayland restricts the ability for clients to modify and read from other clients arbitrarily. This is an extension to a Wayland compositor, and as all extensions do, it contains code which runs on your system. Any code, unless sandboxed, can access your filesystem no matter if it’s run under Wayland, X11, or no windowing system at all for that matter.
*Malicious script inside everywhere can wipe out all your data
For those that don’t want to go back to the Dark side (Reddit), the post referenced a theme (Grey Layout global theme) which got KDE Dev’s involved who in reaction removed the listing from the store.
In short - the theme ran code to run a rm -rf on the user’s drive which wiped everything during install. Aside from backing up your data religiously, be sure to inspect the code instead of blindly installing for now. KDE Dev’s said they will need to do better so I expect some changes are afoot to provide better security.