gksudo potentially very insecure
Scott J. Henson
scotth at csee.wvu.edu
Tue Jul 5 14:50:42 CDT 2005
Wouter Stomp wrote:
> <snip>
>
>Please not only an indicator in the notification area... This is the
>next line on the wiki:
>
>The dialog should always show up, even if "god mode" is still active,
>to indicate that I do something requiring administrative rights.
>During the 5min time period where no password input is required the
>password in the dialog should be prefilled.
>
>A notification icon would be better than nothing, but I know so many
>people that have that little update icon in their system tray no
>matter if it is on ubuntu or in windows and also firefox in windows
>with the little red arrow. Those icons are only useful if you already
>know what they mean. Most users will just ignore them. So please add
>some other notification mechanism. Having the usual dialog with the
>password prefilled would be a good solution I think (as far as I can
>see the best possible tradeoff between comfort and security).
>
>Anyway, great that someone is going to work on this.
>
>
I think seahorse-agent is a good example. It keeps your gpg passphrase
around for a designated amount of time and whenever something requests
its services to retrieve said password, it asks you to confirm or
cancel. This is not at all a problem nor annoying. Perhaps include
program name and give an "Always Allow" option like the gnome keyring
does.
More information about the ubuntu-devel
mailing list