KDE Plasma theming security nightmare: scripting feature can run root commands including the worst Linux meme
One of the benefits of open-source software, like many Linux distributions prefer, is that anyone with the know-how and interest can add to the experience. Usually, this openness helps make open-source software more secure, but the opposite has apparently happened with KDE Plasma's Global Theme support.
It was recently discovered by a user on the r/openSUSE subreddit that a KDE Plasma Global Theme called Grey Layout was able to somehow erase all of the user's data on all mounted drives the logged-in user had permission to access. This effectively resulted in the user's entire computer being erased, including the necessary operating system files.
While the theme in question was removed from the KDE Store, according to KDE developer Nate Graham, there are a few aspects of the incident that stand out. The fact that the theme was specifically hosted on the official KDE Store is concerning, because the typical advice given by experienced Linux users is to be very sceptical about software from unofficial sources.
That said, KDE does have a warning on the KDE Store about user-submitted content not being audited or endorsed by the KDE team, and KDE's David Edmundson said in a blog on the subject that he recommends organisations running KDE restrict their users from installing third-party applications with a bit of code.
Further, Edmundson emphasised that KDE needs to improve how it separates safe (content with only metadata) and unsafe content (which can contain scripts and the like) as well as how it communicates the risks to users and presents "speed-bumps" to users when installing potentially unsafe content.
"We need to improve the balance of accessing third party content that allows creators to share and have users to get this content easily, with enough speed-bumps and checks that everyone knows what risks are involved.
Longer term we need to progress on two avenues. We need to make sure we separate the "safe" content, where it is just metadata and content, from the "unsafe" content with scriptable content.
Then we can look at providing curation and auditing as part of the store process in combination with slowly improving sandbox support."
Ultimately, instances like these highlight how Linux's openness and freedoms can affect end users negatively if not implemented correctly. While this was not a malicious attack, it presents the possibility for a malicious attack and generally increases mistrust in both Linux and projects like KDE. Looking forward, it seems as though we can expect new content safety warnings for the KDE Store and perhaps slightly less convenient methods of installing third-party content.
If you're looking to get into Linux in a slightly more secure way, try out the Valve Steam Deck (curr. $416.98 on Amazon), which runs on SteamOS — an immutable, containerised version of Arch Linux. Alternatively, check out the Windows-based Asus ROG Ally with AMD's Ryzen Z1 Extreme (curr. $599.99 at Best Buy).