Mailinglist Archive: opensuse-factory (697 mails)
| < Previous | Next > |
[opensuse-factory] Tumbleweed : Dodgy Security Pop Up - Requests Root Pass After Unlock of Screen Saver
- From: Rob OpenSuSE <rob.opensuse.linux@xxxxxxxxx>
- Date: Thu, 30 Jun 2011 18:59:29 +0100
- Message-id: <BANLkTi=hodH1rRLpYRtcH+R34T=eCoL4tA@mail.gmail.com>
Not sure, where or who to report this to; I'm sure this would concern
the seperate /usr filesystem loving types.
kde4-filesystem-4.6.4-4.1.i586
kdm-4.6.4-5.1.i586
polkit-0.101-7.1.i586
After returning to Tumbleweed PC, running a KDE desktop (but with X
screen saver) I was surprised to see a pop-up; which wished me to
authenticate as root, via entering the root password into a posh
official looking dialogue :
System policies prevent you from getting the brighness level.
An application is attempting to perform an action that requires
privileges. Authentication is req'd ..
Password for root:
[ ] Remember authorization
Application :
Action: Get brighness
Vendor: KDE
polkit.subject.pid: 3226
polkit.caller.pid: 3971
Details OK Cancel
------
ladm@oak:~> ps aux |grep 3971
root 3971 0.0 0.7 38152 7428 ? Sl 11:37 0:00
/usr/lib/kde4/libexec/backlighthelper
Now whilst this is obviously a bug, it concerns me that polkit & KDE
even have it implemented to request Authentication by root password
like this. This should be handled by an error pop up, if the
privileges of a "helper" program are insufficient for it to operate,
configuration error.
OK this reminds me of Windows UAC where ironically the screen dims,
but far better the end user clicks to permit application to proceed,
rather than authenticate to some random bit of software that throws up
a pop up.
We have signed rpm's, surely if KDE4 backlighthelper needs the
capability there's better ways (like checking signature) of it's
legitimacy. Whilst su or kdesu, do require authentication of user as
"root" to run programs that require root privileges & change the
computer configuration; that authentication is checking who you are,
not a "please give me the root password" so I can get elevated
privileges.
Design Error?
Asking a user to enter root password to pop-ups at unpredictable
times, would be a bad habit to get into! Not to mention the end users
would hate it even more than Windows ppl dislike the confirmation
clicks of UAC.
A confirmation requestion of a granted might be reasonable, but then
the user needs better information than the 'caller pid' to go on.
Hopefully there's a way to disable these pop ups, they're IMO a
mis-feature.
Rob
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-factory+help@xxxxxxxxxxxx
the seperate /usr filesystem loving types.
kde4-filesystem-4.6.4-4.1.i586
kdm-4.6.4-5.1.i586
polkit-0.101-7.1.i586
After returning to Tumbleweed PC, running a KDE desktop (but with X
screen saver) I was surprised to see a pop-up; which wished me to
authenticate as root, via entering the root password into a posh
official looking dialogue :
System policies prevent you from getting the brighness level.
An application is attempting to perform an action that requires
privileges. Authentication is req'd ..
Password for root:
[ ] Remember authorization
Application :
Action: Get brighness
Vendor: KDE
polkit.subject.pid: 3226
polkit.caller.pid: 3971
Details OK Cancel
------
ladm@oak:~> ps aux |grep 3971
root 3971 0.0 0.7 38152 7428 ? Sl 11:37 0:00
/usr/lib/kde4/libexec/backlighthelper
Now whilst this is obviously a bug, it concerns me that polkit & KDE
even have it implemented to request Authentication by root password
like this. This should be handled by an error pop up, if the
privileges of a "helper" program are insufficient for it to operate,
configuration error.
OK this reminds me of Windows UAC where ironically the screen dims,
but far better the end user clicks to permit application to proceed,
rather than authenticate to some random bit of software that throws up
a pop up.
We have signed rpm's, surely if KDE4 backlighthelper needs the
capability there's better ways (like checking signature) of it's
legitimacy. Whilst su or kdesu, do require authentication of user as
"root" to run programs that require root privileges & change the
computer configuration; that authentication is checking who you are,
not a "please give me the root password" so I can get elevated
privileges.
Design Error?
Asking a user to enter root password to pop-ups at unpredictable
times, would be a bad habit to get into! Not to mention the end users
would hate it even more than Windows ppl dislike the confirmation
clicks of UAC.
A confirmation requestion of a granted might be reasonable, but then
the user needs better information than the 'caller pid' to go on.
Hopefully there's a way to disable these pop ups, they're IMO a
mis-feature.
Rob
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-factory+help@xxxxxxxxxxxx
| < Previous | Next > |