unity-design team mailing list archive

Thread
Date

Re: Possible security risk with update-manager

To: Ayatana List <ayatana@xxxxxxxxxxxxxxxxxxx>
From: Jim Rorie <jfrorie@xxxxxxxxx>
Date: Tue, 15 Dec 2009 08:40:47 -0500
In-reply-to: <b3f53d90912150158l63919eebje13d940c852c3a73@mail.gmail.com>

On Tue, 2009-12-15 at 07:58 -0200, Paulo J. S. Silva wrote:
> > Yes, but that's true for any window where the user is using the default
> > theme. It has nothing particularly to do with Update Manager.
> 
> There is something *very* specific to update-manager. It is the only
> application that asks my system password in an unpredicted manner. As
> far as I remember all other applications that ask my password do it in
> predictable moments. At least this is true for all other
> administrative applications that I remember.

I believe the problem stated is that of the asynchronous nature of the
update manger after the Jaunty change. After this change, there is a
password dialog that appears without correlation to the users actions.  

While we can debate the ability of the of malicious user to design a
convincing counterfeit password dialog until we are blue in the face,
the reality is that the unsophisticated user is unable to recognize even
a crude forgery.  Thus we are looking at a symptom of a larger problem.

Yes, evolution among many others will ask for a password.  But if the
system is setup under the stated design goals, seahorse should handle
all passwords of this nature.  Thus we are left with an update dialog
that randomly prompts a user for a password.  

I'm going to get flak for this, but here goes.

a) Revert Lynx back to to old method of putting an update indicator back
on the desktop.  The advanced user, knowing these purpose of the icon,
can click to install updates at their leisure.  The password prompt will
be synchronous, in response to the users initial click.

b) AND, provide an option on logout or reboot to install updates.  Keep
the same options layout as normal, but add a blingy, animated button to
the right of the existing options. Don't pull a MS and do the updates
for them.  Give them an option.  When they click on on the update
option, the system asks them for a password, again in a predictable
responsive manner.  This will handle the unsophisticated user that
doesn't understand the purpose of the desktop icon which was the reason
for having the pop down in the first place.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

References

Possible security risk with update-manager
From: Paulo J. S. Silva, 2009-11-18
Re: Possible security risk with update-manager
From: Matthew Paul Thomas, 2009-12-14
Re: Possible security risk with update-manager
From: Paulo J. S. Silva, 2009-12-14
Re: Possible security risk with update-manager
From: Matthew Paul Thomas, 2009-12-15
Re: Possible security risk with update-manager
From: Paulo J. S. Silva, 2009-12-15