Re: X-windows security in Gnome

From: Benjamin Kahn <xkahn ximian com>
To: Havoc Pennington <hp redhat com>
Cc: gnome-hackers gnome org
Subject: Re: X-windows security in Gnome
Date: 16 May 2002 20:11:23 -0400

On Thu, 2002-05-16 at 19:48, Havoc Pennington wrote:
> Benjamin Kahn <xkahn ximian com> writes: 
> > 	Of course, as Chris Lahey pointed out just the other day, one of the
> > main points of this feature is to make sure the user REALLY IS typing
> > their password into the application they think they are tying it into. 
> > Another window can't just pop up, grab focus, and display what they are
> > typing.
> 
> Sure, but windows aren't supposed to get focus while you're typing in
> another app - they don't in Windows XP, for example. This is something
> that's easy to fix correctly, and the correct fix ends up really
> solving the problem for all users, not just theoretically solving it
> if everyone bothers to choose the "secure keyboard" menu item before
> and after they type something sensitive.

	Really?  How'd they solve this problem?  This happens to me a lot when
running things like Evolution.  I have a mail server which requires
authentication when sending mail.  I write an email, send it off, and
then go do something else.  Often the password dialog comes up and I
type for a little while before realizing what's happened.  It could
probably be fixed if I only gave focus to new windows which were
children of the current application, but what if I were composing a
second email?  

> In any case, if you have the menu item for this reason, it definitely
> should not be called "secure keyboard," since that name has created a
> widespread misconception that it makes you immune to key snooping and
> thus has probably encouraged insecure setups. I guess it should be
> called "work around broken focus policy" ;-)

	Hmm...  Sounds like a long menu item name.  How about: "Capture
Keyboard"?  :^)	

> > 	And, as another side point, I had a sawfish and panel crash the other
> > day when using GNOME 2.  All I could (easily) do was ask Nautilus to
> > open a terminal which I couldn't type into since I couldn't ask it to
> > grab the keyboard.
> 
> I have a problem with a menu item called "focus this window because my
> window manager crashed" ;-)
> 
> I usually go to a virtual console and type "DISPLAY=:0 windowmanager"
> 
> But a more realistic solution for end users is this one:
>  http://bugzilla.gnome.org/show_bug.cgi?id=75047
> 
> Combined with a generic session manager feature that protects you from
> losing all the key programs from the session (desktop icons, panel,
> WM). Users lose these from time to time, and generally don't know how
> to get them back.

	Sure.  This is a much better solution for this case when running
Profterm in a GNOME environment.

Follow-Ups:
- Re: X-windows security in Gnome
  - From: Havoc Pennington

References:
- X-windows security in Gnome
  - From: Brian Cameron
- Re: X-windows security in Gnome
  - From: Havoc Pennington
- Re: X-windows security in Gnome
  - From: Benjamin Kahn
- Re: X-windows security in Gnome
  - From: Havoc Pennington

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]