Re: gnome-keyring Passwords freely available after login
- From: Stef Walter <stefw collabora co uk>
- To: Karl <karl1982 gmail com>
- Cc: gnome-keyring-list gnome org
- Subject: Re: gnome-keyring Passwords freely available after login
- Date: Sun, 12 Dec 2010 10:41:51 -0600
On 2010-12-07 22:13, Karl wrote:
> I realize this is an ongoing and well-worn topic, but I want to weigh in
> since I've been a frequent Ubuntu user for some time now. I have a
> problem with the way Gnome keyring handles passwords.
I believe you're talking about the way seahorse allows you to see
passwords. This is an ongoing problem that we're trying to figure out.
I've done more research and thinking about it, and would like to explain
the problem in a technical manner.
Essentially what we want is an access control list. We want certain
applications to be able to read the passwords (like the ones that need
to use the passwords in authentication). In addition we want other
applications not to be able to read the passwords (like key managers,
eg: seahorse).
In order for any ACL to work there must be what's called a 'principal'.
The principal is the identification of the subject that is is trying to
access the resource. When you go to a club for a night out, and the
bouncer checks your name against the list, your name is the principal.
On the linux desktop we currently have a hard time figuring out a
principal per application. It's as if all the people going to the club
somehow had the same name, or interchangeable names (and photo IDs).
That would make the bouncer's job difficult.
Ah, but you say, can't you use the application's full path as the
principal? We tried that in the past, and it doesn't work for the
following reasons:
1. Applications written in any sort of interpretted or VM based
language have a full path like: /usr/bin/python or /usr/bin/mono
or /usr/bin/java.
2. It's trivial to spoof the application path of a process by using
stuff like $LD_LIBRARY_PRELOAD
So I don't know of a solid way to differentiate between applications
running on the user's desktop. They all run with the same credentials
(that of your unix login account), and they all appear pretty much the
same to gnome-keyring (the bouncer).
I'm not saying this is a deadend, but it is a difficult problem, given
what we have to work with.
Lastly, we want seahorse to be a manager of personal passwords (where I
go into seahorse and store my bank card PIN) as well as passwords for
other programs. For this reason there should be a way to see passwords
in seahorse rather than just bullets. But is there a way in the UI we
can find a good balance here?
If anyone has possible solutions, then we can consider them. This is
preferrable to simply restate the problem in different ways over and
over again.
I understand the
> philosophy that a user shouldn't feel more secure than they really are,
> and I agree up to the point where security is sacrificed for idealism.
> If your car has separate door and ignition keys, you don't leave the
> ignition key hanging from the hood ornament simply because no one can
> open the door if you always remember to lock it. The one time you
> forget, someone drives off with your car.
Analogies are lots of fun. FWIW the equivalent of leaving your keys on
your hood ornament is leaving your screen unlocked when you're away from it.
Cheers,
Stef
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
