[opensuse-factory] Tumbleweed : Dodgy Security Pop Up - Requests Root Pass After Unlock of Screen Saver
Not sure, where or who to report this to; I'm sure this would concern the seperate /usr filesystem loving types. kde4-filesystem-4.6.4-4.1.i586 kdm-4.6.4-5.1.i586 polkit-0.101-7.1.i586 After returning to Tumbleweed PC, running a KDE desktop (but with X screen saver) I was surprised to see a pop-up; which wished me to authenticate as root, via entering the root password into a posh official looking dialogue : System policies prevent you from getting the brighness level. An application is attempting to perform an action that requires privileges. Authentication is req'd .. Password for root: [ ] Remember authorization Application : Action: Get brighness Vendor: KDE polkit.subject.pid: 3226 polkit.caller.pid: 3971 Details OK Cancel ------ ladm@oak:~> ps aux |grep 3971 root 3971 0.0 0.7 38152 7428 ? Sl 11:37 0:00 /usr/lib/kde4/libexec/backlighthelper Now whilst this is obviously a bug, it concerns me that polkit & KDE even have it implemented to request Authentication by root password like this. This should be handled by an error pop up, if the privileges of a "helper" program are insufficient for it to operate, configuration error. OK this reminds me of Windows UAC where ironically the screen dims, but far better the end user clicks to permit application to proceed, rather than authenticate to some random bit of software that throws up a pop up. We have signed rpm's, surely if KDE4 backlighthelper needs the capability there's better ways (like checking signature) of it's legitimacy. Whilst su or kdesu, do require authentication of user as "root" to run programs that require root privileges & change the computer configuration; that authentication is checking who you are, not a "please give me the root password" so I can get elevated privileges. Design Error? Asking a user to enter root password to pop-ups at unpredictable times, would be a bad habit to get into! Not to mention the end users would hate it even more than Windows ppl dislike the confirmation clicks of UAC. A confirmation requestion of a granted might be reasonable, but then the user needs better information than the 'caller pid' to go on. Hopefully there's a way to disable these pop ups, they're IMO a mis-feature. Rob -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On 30/06/11 18:59, Rob OpenSuSE wrote:
Not sure, where or who to report this to; I'm sure this would concern the seperate /usr filesystem loving types.
kde4-filesystem-4.6.4-4.1.i586 kdm-4.6.4-5.1.i586 polkit-0.101-7.1.i586
After returning to Tumbleweed PC, running a KDE desktop (but with X screen saver) I was surprised to see a pop-up; which wished me to authenticate as root, via entering the root password into a posh official looking dialogue :
System policies prevent you from getting the brighness level.
An application is attempting to perform an action that requires privileges. Authentication is req'd ..
Password for root: [ ] Remember authorization
Application : Action: Get brighness Vendor: KDE polkit.subject.pid: 3226 polkit.caller.pid: 3971
Details OK Cancel ------
ladm@oak:~> ps aux |grep 3971 root 3971 0.0 0.7 38152 7428 ? Sl 11:37 0:00 /usr/lib/kde4/libexec/backlighthelper
Now whilst this is obviously a bug, it concerns me that polkit& KDE even have it implemented to request Authentication by root password like this. This should be handled by an error pop up, if the privileges of a "helper" program are insufficient for it to operate, configuration error.
OK this reminds me of Windows UAC where ironically the screen dims, but far better the end user clicks to permit application to proceed, rather than authenticate to some random bit of software that throws up a pop up.
We have signed rpm's, surely if KDE4 backlighthelper needs the capability there's better ways (like checking signature) of it's legitimacy. Whilst su or kdesu, do require authentication of user as "root" to run programs that require root privileges& change the computer configuration; that authentication is checking who you are, not a "please give me the root password" so I can get elevated privileges.
Design Error?
Asking a user to enter root password to pop-ups at unpredictable times, would be a bad habit to get into! Not to mention the end users would hate it even more than Windows ppl dislike the confirmation clicks of UAC.
A confirmation requestion of a granted might be reasonable, but then the user needs better information than the 'caller pid' to go on. Hopefully there's a way to disable these pop ups, they're IMO a mis-feature.
Rob
Welcome to https://bugzilla.novell.com/show_bug.cgi?id=688267 which people (mostly me) have been complaining about for 2+ months now and i agree with you, the way policykit asks for privileges doesn't seem right. Regards, Tejas -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
participants (2)
-
Rob OpenSuSE -
Tejas Guruswamy