Re: gnome-keyring Seahorse doesn't confirm you identity before showing passwords
- From: Adam Schreiber <adam schreiber gmail com>
- To: Corey <snkiz1 0 gmail com>
- Cc: gnome-keyring-list gnome org
- Subject: Re: gnome-keyring Seahorse doesn't confirm you identity before showing passwords
- Date: Mon, 2 Nov 2009 21:31:34 -0500
On Wed, Oct 28, 2009 at 9:27 PM, Corey <snkiz1 0 gmail com> wrote:
> The subject says it all there is a huge debate here:
> http://ubuntuforums.org/showthread.php?p=8184587
> and a Ubuntu bug here: https://bugs.launchpad.net/seahorse/+bug/189774
>
> this is my thought on how to fix it.
>
> The way I see it Ubuntu is almost there, seahorse does ask permission
> just no confirmation. And we do have the tools like gconf. And
> policykit, witch can handle non-root permissions and IMO is way under
> used.
I don't think PolicyKit works the way you think it does.
http://hal.freedesktop.org/docs/PolicyKit/model.html
> Here's my idea, create a sane list of default apps that can access
> seahorse.
Access *gnome-keyring*. Seahorse doesn't store your secrets.
> The ability to change that list through gconf, and
Gconf is in no way secured. All an attacker has to do is add their
app to the list and it gets access.
> permission checks through policykit for unexpected apps, changing info
> or viewing passwords. And finally come up with a unified personal
> security policy for the desktop as a whole. (IN about me you need your
> password to change your password and about me does not display clear
> text.)
Currently in gnome-keyring, if you know everything else about a
secret, you know the secret as well.
Cheers,
Adam
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
