← Back to team overview

desktop-packages team mailing list archive

  1. desktop-packages team
  2. Mailing list archive
  3. Message #89796

[Bug 651734] Re: Policykit password dialogs are insecure as they do not keep focus

  Thread PreviousDate PreviousThread Next 
** Changed in: policykit-1-gnome
       Status: In Progress => Expired

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to policykit-1-gnome in Ubuntu.
https://bugs.launchpad.net/bugs/651734

Title:
  Policykit password dialogs are insecure as they do not keep focus

Status in PolicyKit GNOME component:
  Expired
Status in policykit-1-gnome package in Ubuntu:
  Confirmed

Bug description:
  Binary package hint: policykit-1-gnome

  Policykit password dialogs are insecure as they do not keep focus.
  There are advantages to the way gnome-screensaver and gksudo treat the
  password prompt. As it blocks out any other input or window, you are
  less likely to be inputting to another source.

  I have experienced many time where I either discovered a password or
  shared my own because of this flaw in policykit.

  Examples of the issue:
  -Start an administrative utility which requests a password
  -Get the password prompt up
  -Either inset a usb disk or if you have touchpad sensitivity (tapp to click) **accidentally** click on a nautilus window in the background
  -Type the password ans it shows up as a file search in the bottom right of the nautilus window

  As you can see there are benefits to making sure the password is
  entered into the password prompt. policykit and many other password
  prompts do not lock out screen meaning the risk is higher that
  everyone will be able to see your passphrase in cleartext.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.04
  Package: policykit-1-gnome 0.96-2ubuntu2
  ProcVersionSignature: Ubuntu 2.6.32-24.43-generic 2.6.32.15+drm33.5
  Uname: Linux 2.6.32-24-generic i686
  NonfreeKernelModules: wl
  Architecture: i386
  Date: Wed Sep 29 22:51:43 2010
  InstallationMedia: Ubuntu 10.04.1 LTS "Lucid Lynx" - Release i386 (20100816.1)
  ProcEnviron:
   LANG=en_US.utf8
   SHELL=/bin/bash
  SourcePackage: policykit-1-gnome

To manage notifications about this bug go to:
https://bugs.launchpad.net/policykit-1-gnome/+bug/651734/+subscriptions
  Thread PreviousDate PreviousThread Next