On 16/06/2009 mac_v wrote:
In no way the system should decide what windows it can open...If this is allowed it is only a matter of time before someone develops a worm which uses this behavior and pops-up a window similar to the update manager which also asks for the user password allowing the worm to takecontrol of the system using this password info. *Is ubuntu only going to realize this security risk after someone* *develops a proof of concept worm or a real virus* ? If this is done linux will no longer be THE secure OS.All windows in the window list should only be triggered by the user, allother system process should only trigger a notification.
Do you think it is easy to design a webpage that simulates such a "password fraud"? I see a difficulty here due to having to dim the whole screen to look like the standard password request, not that an user would not enter it in any kind of pop-up.
On the other hand, I have an idea for a secure way to ask for user input. In the installer, the user choses her own password, and the "secret phrase" which will be written in a root-only accessible file. This sentece will be shown to the user by the system when a password is asked and will autenticate the system with the user. The user should then be instructed not to enter his own password unless the right phrase is seen. A random phrase may be suggested automatically from a huge list.
Vincenzo