http://docs.kde.org/
PrevInternalsNext

Password Keeping

For your comfort, KDE su implements a keep password feature. If you are interested in security, you should read this paragraph.

Allowing KDE su to remember passwords opens up a (small) security hole in your system. Obviously, KDE su does not allow anybody but your user id to use the passwords, but, if done without caution, this would lowers root's security level to that of a normal user (you). A hacker who breaks into your account, would get root access. KDE su tries to prevent this. The security scheme it uses is, in my opinion at least, reasonably safe and is explained here.

KDE su uses a daemon, called kdesud. The daemon listens to a UNIX® socket in /tmp for commands. The mode of the socket is 0600 so that only your user id can connect to it. If password keeping is enabled, KDE su executes commands through this daemon. It writes the command and root's password to the socket and the daemon executes the command using su, as describe before. After this, the command and the password are not thrown away. Instead, they are kept for a specified amount of time. This is the timeout value from in the control module. If another request for the same command is coming within this time period, the client does not have to supply the password. To keep hackers who broke into your account from stealing passwords from the daemon (for example, by attaching a debugger), the daemon is installed set-group-id nogroup. This should prevent all normal users (including you) from getting passwords from the kdesud process. Also, the daemon sets the DISPLAY environment variable to the value it had when it was started. The only thing a hacker can do is execute an application on your display.

One weak spot in this scheme is that the programs you execute are probably not written with security in mind (like setuid root programs). This means that they might have buffer overruns or other problems and a hacker could exploit those.

The use of the password keeping feature is a tradeoff between security and comfort. I encourage you to think it over and decide for yourself if you want to use it or not.