Does it really come as this big surprise to people that if you leave your desktop unattended and unlocked at hands of people you can't trust your personal information might be compromised? :D

Still, everybody complaining about the keyring seems to ignore the fact that not locking your session leaves all your files and information vulnerable, and completely compromises your user's security (since malware such as keyloggers can be easily installed to that user account).

If you are afraid that you don't remember to lock the session yourself, you can set that to happen automatically. Both gnome-screensaver and the power manager have that option.

If you forget to lock your car doors it's unlikely that your insurance company would pays you anything if somebody steals everything from your car (and perhaps the car itself). If you yourself let the person in your car, the situation is even worse.

Is it really that hard to accept that yes, the user does have a part in maintaining the system's security. Compromising the security at larger scale yourself (your whole user account) and then complaining that the system doesn't protect some minor component (passwords stored inside that account) seems quite backwards to me.

Perhaps complaining about small details is easier than admitting that you are yourself causing the larger-scale security issue...

Look, scripts can be run when your screen is locked.

Also, when sudo is compromized it affects all system users. If someone doesn't lock their own account only their own account is compromized.

Back to my car analogy:
If you leave your car unlocked with your keys available inside - oops.

If you leave your garage unlocked with everybodys keys and cars inside - oops again.

I'm done with this argument. It's silly.

Does it really come as this big surprise to people that if you leave your desktop unattended and unlocked at hands of people you can't trust your personal information might be compromised? :D

Still, everybody complaining about the keyring seems to ignore the fact that not locking your session leaves all your files and information vulnerable, and completely compromises your user's security (since malware such as keyloggers can be easily installed to that user account).

If you are afraid that you don't remember to lock the session yourself, you can set that to happen automatically. Both gnome-screensaver and the power manager have that option.

If you forget to lock your car doors it's unlikely that your insurance company would pays you anything if somebody steals everything from your car (and perhaps the car itself). If you yourself let the person in your car, the situation is even worse.

Is it really that hard to accept that yes, the user does have a part in maintaining the system's security. Compromising the security at larger scale yourself (your whole user account) and then complaining that the system doesn't protect some minor component (passwords stored inside that account) seems quite backwards to me.

Perhaps complaining about small details is easier than admitting that you are yourself causing the larger-scale security issue...

Sigh.. those car analogies.

Anyway if locking the screen is the only safe way and mandatory to have any sort of protection, then sudo authentication should not time out. I should not have to type in my password a million times per day, a solution like in windows where you just chose to run something as administrator or click an "ok" button should suffice. IOW, sudo would still be required but the password should not.

If thats what you're advocating, then perhaps, but having AND the annoyance of sudo passwords timing out and the huge security threat when you dont lock your screen we got the worst of both worlds now. The inconvenience and the security threat.

mcduck I don't believe anyone has forgotten that. And a locked screen wouldn't stop someone who knows what their doing. <ctl><alt>f1 and your at a console wheres Gnome security then? Your back to one layer, a single password. Then let the hack begin.

The point of the thread is the keyring is to accessible for comfort. Not how good it is, or how it should be used, or even how to protect it. Just why is it 4 clicks away? Many users are not comfortable with that.

Look, scripts can be run when your screen is locked.

how? I mean how would an intruder abuse an unlocked sudo while the screen is locked? If that somehow does provide a security threat then unlocking sudo would itselve constitute an unacceptable security threat. There is no point being safe 23 hours per day.


Also, when sudo is compromized it affects all system users. If someone doesn't lock their own account only their own account is compromized.


How would sudo be compromised? You are the one saying an unlocked screen is inherently insecure if you are afk, so that it could also affect other users is what makes it unacceptable? So its okay if your own security is compromised, but that of other accounts you find unacceptable. I dont understand the logic.

Back to my car analogy:

Im done reading car analogies. If you cant make the argument without resorting to cars then perhaps you dont have one.

BTW, locking the screen doesnt work on my Karmic. It does nothing. I guess I should file a bug report and mark it critical and delay the release now ;)

Sigh.. those car analogies.

Anyway if locking the screen is the only safe way and mandatory to have any sort of protection, then sudo authentication should not time out. I should not have to type in my password a million times per day, a solution like in windows where you just chose to run something as administrator or click an "ok" button should suffice. IOW, sudo would still be required but the password should not.

If thats what you're advocating, then perhaps, but having AND the annoyance of sudo passwords timing out and the huge security threat when you dont lock your screen we got the worst of both worlds now. The inconvenience and the security threat.

If you don't want a car analogy, I can definitely make some other analogy for you if you need one. (I've already made a fairly nice comparison in this thread between locking you home door to keep unwanted people out and protect your belongings and locking your user session to protect your belongings) :D

Here you go: "If you forget to lock your home doors it's unlikely that your insurance company would pay you anything if somebody steals everything from your home. If you yourself let the person in your home, the situation is even worse."


It's also already been mentioned here that there's a different level of security policy for protecting one user account and the whole system. And suggested that you can easily try using a non-admin user account yourself to easily see the difference between protecting the whole system and one user account.

And, no matter what kind of policy you use to protect the keyring, or no policy at all, it's still compromised when you leave your session unlocked and the machine unattended. Adding a password to see the keys would only bring an illusion of security when the reality wouldn't change all and all your files and keys would still be unsecure.

I like sudo timing out thank you. if a script with sudo runs on my system while sudo is unlocked it doesn't ask for a password. so if for some insane reason I download a script and run it without realizing it has sudo in it bad things may happen. With the timeout That window of oppportunity is limited.

One more time for those in the back. sudo is root access seahorse is user access, an important distinction.

If you don't want a car analogy, I can definitely make some other analogy for you if you need one. (I've already made a fairly nice comparison in this thread between locking you home door to keep unwanted people out and protect your belongings and locking your user session to protect your belongings) :D

Its not the cars that bother me, its the fact you have to resort to analogies to argue the point. The rest of your post is a repitition of what has already been said a dozen times but doesnt address my points.

If you dont like the illusion of security, then having 500x popups per day asking your password would be the first thing to eliminate. Not only does it give the same illusion its also pretty annoying (unlike having to type a pw once every 6 months when you open seahorse).

I like sudo timing out thank you. if a script with sudo runs on my system while sudo is unlocked it doesn't ask for a password. so if for some insane reason I download a script and run it without realizing it has sudo in it bad things may happen. With the timeout That window of oppportunity is limited.


Yes Sudo should ask permission to run as root, or you should manually launch it as root (with sudo or otherwise). But why would it need to re authenticate you? If the person behind the screen is to be trusted as being the same sudoer that logged in 5 hours earlier? Why a password when a simple popup as in windows would achieve the same?

Its not the cars that bother me, its the fact you have to resort to analogies to argue the point. The rest of your posts is a repitition of what has already been said a dozen times but doesnt address my points.

If you dont like the illusion of security, then having 500x popups per day asking your password would be the first thing to eliminate. Not only does it give the same illusion its also pretty annoying (unlike having to type a pw once every 6 months when you open seahorse).

I have already explained the same pouints thout using analogies, but it seems that the points were not understood. hence the use of an analogy to try to explain the situation to those who didn't undertand the pount when it was described directly.

I don't know what you are doing if you get 500 password popups per day, but I can tell you you are definitely doing somehting wrong if that's the case. try using "sudo -i" and "gksudo nautilus"and you don't have to do that any more.

And yes, I also answered your point about the sudo timeout. You just ignored it. Since you dislike repetition (and so do I) I'm not going to repeat the answer to you. :)

mcduck I don't believe anyone has forgotten that. And a locked screen wouldn't stop someone who knows what their doing. <ctl><alt>f1 and your at a console wheres Gnome security then? Your back to one layer, a single password. Then let the hack begin.

The point of the thread is the keyring is to accessible for comfort. Not how good it is, or how it should be used, or even how to protect it. Just why is it 4 clicks away? Many users are not comfortable with that.

Ctrl-Alt-F1 won't do anything unless you have password for the user account. If you do, the account is already compromnised and the security breach has happened already, somewhere else.

Using TTY, locked screen, logging out of session or even shutting down the machine completely or whatever, the security is in protecting your user account by use of user password. If you fail to do that, all your files and the whole account is compromised anyway. Small change in the keyring management won't change that. The security is already broken before the point when somebody is able to access the Keyring Manager.

Those who are rigidly against any change have not been able to answer this simple question:

What is relatively more secure:
a) 9 out of 10 people can steal my passwords
b) 2 out of 10 people can steal my passwords


Those who say "don't let them use it, if you don't trust" fail to appreciate the fact in real life an extremely large number of people are NEITHER absolutely trustworthy nor absolutely untrustworthy. We may trust a person with one thing (e.g. they wont install keyloggers) but not with another (e.g. if a password is right in front of them they might be tempted to use it). Also, you guys fail to realise that there is a big difference in professional thieves or determined hackers and opportunists. Opportunists can be everywhere but most people don't have people with scripting knowledge around them.



It would be security through obscurity if it were the ONLY measure. It is an additional layer that we want that would protect us from 90% of the people. Thinking that a user would never ever forget to lock the screen is seriously flawed. We want a system where in the rare case we forget to lock the screen, we would still be protected from 90% of the people. Currently, our passwords are vulnerable to almost 9 out of 10 people, in case we forget to lock screen.



I hate the car analogy here (lol) but I have to say this. Some thieves are professionals and some are opportunists. Some professionals have jammers that would render the tracker you have installed useless. Does it mean tracking is useless just because a few can get past it? On top of that there are thieves:

- who steal cars
- who steal only music systems from the cars
- who only steal the side mirrors
- who only steal CNG kits
- and a few other types

We have different security measures for all these types and not JUST for the most advanced and professional thief.




If you think the *show passwords button* is there to make the user lock the screen, why not have the passwords displayed ON the desktop background. That is thousand times more likely to make a person lock the screen. Seriously, tell me?

I don't know what you are doing if you get 500 password popups per day, but I can tell you you are definitely doing somehting wrong if that's the case. try using "sudo -i" and "gksudo nautilus"and you don't have to do that any more.


500x is an exaggeration of course, but its more than once, and more than once per session would be pointless if you can indeed assume the person behind the unlocked screen to be the same user that logged in. Thats the assumption seahorse/keyring/gnome makes. Its one I disagree with and sudo policy seems to disagree as well.

Those who are rigidly against any change have not been able to answer this simple question:
What is relatively more secure:

a) 9 out of 10 people can steal my passwords
b) 2 out of 10 people can steal my passwords


That's because there's a third alternative we've been trying to tell you:


0 of 10 people can steal my passwords, and in addition all my files are safe as well and my user account stays uncompromised.


That way, those people able to access the passwords would truly have to be skilled, instead of just fairly cunning which is all it takes to get your keys from the keyring even if the keyring manager won't show them. And I really mean that a bit of cunningness is all it takes, no programming skills required or any advanced stuff like that.

What comes to people not being absolutely trustworthy or absolutely untrustworthy, I don't see what that has to do with you letting them use your personal user account when there's the Guest Session available. That way you don't even have to try to decide if you can trust those people or not. Even better, that would be quite a polite thing to do anyway since perhaps the person using your computer doesn't quite trust you and might like to keep his browsing history secured from you.. Letting him use the guest session instead of your own brings security to both, you and the guest.

the.lost.one
That is the difference between a developer/geek(no offence intended.) train of thought and a users. I've seen this a few times since going down the FLOSS path. The dev's have stubbornly set their position and sadly only a large public outcry will cause any action to be taken.

I would also like to know why is it that Empathy, Pidgin use keyring but aMSN does not? If the Ubuntu developers can make some applications use keyring, why not make the applications encrypt passwords themselves?

Currently, as some people have mentioned that all applications have access to keyring once a user is logged in. Why not have a system where ONLY the applications a user authorise can access keyring? And no it wont be a bother because one has to type the password the first time one is saving it. After that only the "xyz" application i have authorised would automatically access the password.

That way even if someone tries to run a script to get all my passwords, they wont be able to because their script wont be authorised to access keyring.

Someone also said that a keylogger could be installed without the sudo password? It that really true? Does someone actually know? Because in Windows you cannot install a keylogger without admin elevation.

That's because there's a third alternative we've been trying to tell you:


0 of 10 people can steal my passwords, and in addition all my files are safe as well and my user account stays uncompromised.


That way, those people able to access the passwords would truly have to be skilled, instead of just fairly cunning which is all it takes to get your keys from the keyring even if the keyring manager won't show them. And I really mean that a bit of cunningness is all it takes, no programming skills required or any advanced stuff like that.

What happens if you forget to lock screen? Are you telling me there is no chance you would ever forget? In the system we are suggesting you'd still be protected from most if you forget. It is a measure to minimise damage.

It is not advanced for you, but I dont know how to, and a lot of people don't.

What happens if you forget to lock screen? Are you telling me there is no chance you would ever forget? In the system we are suggesting you'd still be protected from most if you forget. It is a measure to minimise damage.

It is not advanced for you, but I dont know how to, and a lot of people don't.

I really need to repeat this once again? I've mentioned this at least 5 times in this thread now:

Both Gnome-screensaver and the power manager allow you to set the session to lock automatically. Just enable that if you feel that you might not remember to lock the session yourself.

(so yes, there's no change that my session would ever be left unlocked. It locks automatically if I for some reason would forget to do it myself)

I'm not really into targeting for minimizing damage and creating illusion of security when there's the option of trying to completely prevent the damage in the first place and creating some level of real security. False illusion of security is even worse than no security at all.

I really need to repeat this once again? I've mentioned this at least 5 times in this thread now:

Both Gnome-screensaver and the power manager allow you to set the session to lock automatically. Just enable that if you feel that you might not remember to lock the session yourself.

(so yes, there's no change that my session would ever be left unlocked. It locks automatically if I for some reason would forget to do it myself)

Is your timeout set for 30 seconds? if not your unprotected until the screensaver kicks in.

I'm not really into targeting for minimizing damage and creating illusion of security when there's the option of trying to completely prevent the damage in the first place and creating some level of real security. False illusion of security is even worse than no security at all.
lap belts in cars can cause injury,by your logic your better off not being straped in?
FAIL

I really need to repeat this once again? I've mentioned this at least 5 times in this thread now:

Both Gnome-screensaver and the power manager allow you to set the session to lock automatically. Just enable that if you feel that you might not remember to lock the session yourself.

While its certainly a good idea to enable that, using your logic its another false sense of security, since anyone could move the mouse to restart those 15 minutes endlessly. In the real world you also often expect to return to your pc instantly but while walking back with your cup of coffee you get called away, meet someone, you stumble and break a leg.
Not too mention opening seahorse and printing a printscreen would take less than 1 minute. No too mention the fact my "lock screen" doesnt work for some reason :)

For all those cases it would be nice if seahorse did not make it so blatantly easy to obtain my passwords.

What comes to people not being absolutely trustworthy or absolutely untrustworthy, I don't see what that has to do with you letting them use your personal user account when there's the Guest Session available.

Quite a bit of people don't think that it has nothing to do with it. If I, say, make my hypothetical new girl friend log in as guest, that sends her the signal that I don't trust her. I might trust her with using my computer but I don't want her to know every single password in keyring. You can say thats normal, she should understand and I should try to change how she thinks. But you know what? I'd rather change how my passwords are stored instead of how the girl friend thinks.

This is just one if the many scenarios in which it will be useful to have this feature or security layer, whichever way you wanna look at it.

Even better, that would be quite a polite thing to do anyway since perhaps the person using your computer doesn't quite trust you and might like to keep his browsing history secured from you.. Letting him use the guest session instead of your own brings security to both, you and the guest.

Is that true? Because it appears that if I have sudo password I can install malicious software for all users including guests?

Is your timeout set for 30 seconds? if not your unprotected until the screensaver kicks in.

lap belts in cars can cause injury,by your logic your better off not being straped in?
FAIL

It's 2 minutes. At least that's a lot better than letting anybody always to have a free access to the system. And pretty much enough to make sure nobody has enough time to find that my machine is unattended and unlocked and access it, at least in the time that's left after I've left the room... Still, this far I haven't forgotten to lock the machine myself, and even if I would I wouldn't blame it on anybody else than myself..

And FAIL yourself. As long as you know that some system is not secure you know that you are yourself responsible, and know to take required actions to prevent damage. With the false security you imagine that the system is secure enough that you don't need to take any responsibility yourself.

Your seat belt analogy might be correct if using seatbelts woud actually create very little extra safety (or no safety at all) but were still marketed as something that would protect you ~100% in case of accidents. If that was the case then yes, I wouldn't bother strapping myself in. (In reality seat belts actually bring considerably more security than cause damage, so I'm using them).

It's reasonable to wonder why passwords for things other than your local computer can be viewed in clear text without entering a password. Even Windows doesn't allow that. There is a tool called "SnadBoy Revelation". Go and Google it. With it you can unmask any password Windows is "protecting". So even if Windows doesn't show the password it's easy for a user-space application such as "SnadBoy" to find it in the RAM and reveal it.

At least with Linux you know right away what you're dealing with.

Quote:
Originally Posted by mcduck http://ubuntuforums.org/images/buttons/viewpost.gif (http://ubuntuforums.org/showthread.php?p=8187496#post8187496)
I really need to repeat this once again? I've mentioned this at least 5 times in this thread now:

Both Gnome-screensaver and the power manager allow you to set the session to lock automatically. Just enable that if you feel that you might not remember to lock the session yourself.

How inconvenient it would be if I have to unlock the screen after every 5 minutes! Plus, for for those 5 minutes, even a noob can get my passwords.

Edit:
If I am a reporter in a war zone I would wear a helmet and bullet proof vest and not when I am going shopping in a peaceful area.

Is that true? Because it appears that if I have sudo password I can install malicious software for all users including guests?
Of course you can, if you are the admin of the machine.

If we must be this pedantic about details then let me put it this way: letting guest users use guest account instead of your own will bring you considerably better security, and the guest user better security than using your account would. Still, the guest user is using your computer and thus must have some level of trust towards you and accept the fact that the machine is still yours and runs software you have installed and configured.

Quote:
Originally Posted by mcduck http://ubuntuforums.org/images/buttons/viewpost.gif (http://ubuntuforums.org/showthread.php?p=8187496#post8187496)
I really need to repeat this once again? I've mentioned this at least 5 times in this thread now:

Both Gnome-screensaver and the power manager allow you to set the session to lock automatically. Just enable that if you feel that you might not remember to lock the session yourself.

How inconvenient it would be if I have to unlock the screen after every 5 minutes! Plus, for for those 5 minutes, even a noob can get my passwords.
Then perhaps you could try to lock them machine yourself? Most peoople don't really have any problems remebering to lock their home doors, their cars, remeberign to take their ATM cards out of the ATM machine after withdrawing some money etc.. I don't see how remebering to lock your computer would be som much harder than those things are.

And even if the machine would only unlock after those 5 minutes, it would still be more secure than not unlocking it at all. I once again need to repeat myself, but getting the keys out of the keyring on an unlocked session doesn't require any programming skills, just a bit of cunning. (I'd rather not start describing the ways the keys can actually be accessed without using the keyring manager and writing any programs. Besides, at least one method has already been mentioned in this thread. The point is that the keys are still accessible as plain text through the programs that already exist in your system and use those keys.)

I would also like to know why is it that Empathy, Pidgin use keyring but aMSN does not? If the Ubuntu developers can make some applications use keyring, why not make the applications encrypt passwords themselves?

pidgin doesnt use the keyring, it stores its files in plain text
http://developer.pidgin.im/wiki/PlainTextPasswords
you can have applications encrypt the passwords them selves, unfortunately, because most of the apps we use are open source the encryption method is on show, so either you require another password, or you have a useless encryption method.


Currently, as some people have mentioned that all applications have access to keyring once a user is logged in. Why not have a system where ONLY the applications a user authorise can access keyring? And no it wont be a bother because one has to type the password the first time one is saving it. After that only the "xyz" application i have authorised would automatically access the password.

That way even if someone tries to run a script to get all my passwords, they wont be able to because their script wont be authorised to access keyring.

first does that mean you wouldnt allow seahorse access to the passwords?
second this indicates that you have an app on your system that you dont trust, that is a bigger security flaw than having passwords on show, again the apps are open source the app can just rip all the stuff out of trusted app to make it appear that it is a trusted app.

And FAIL yourself. As long as you know that some system is not secure you know that you are yourself responsible, and know to take required actions to prevent damage. With the false security you imagine that the system is secure enough that you don't need to take any responsibility yourself.

First off, the timer resets if you touch the keyboard or mouse so thats a false sense of security. second most don't know the system is that insecure. Ubuntu and Gnome has done nothing to inform the user. Third it would be far easier for me to just remove the keyring altogether then to stay here arguing the function of seahorse. so I am taking responsibility, for newbies that don't know any of this.

pidgin doesnt use the keyring, it stores its files in plain text
http://developer.pidgin.im/wiki/PlainTextPasswords
you can have applications encrypt the passwords them selves, unfortunately, because most of the apps we use are open source the encryption method is on show, so either you require another password, or you have a useless encryption method.
Not true open source encryption depends on a random key. even with the source for the encryption method you still need that key.

First off, the timer resets if you touch the keyboard or mouse so thats a false sense of security. second most don't know the system is that insecure. Ubuntu and Gnome has done nothing to inform the user. Third it would be far easier for me to just remove the keyring altogether then to stay here arguing the function of seahorse. so I am taking responsibility, for newbies that don't know any of this.

Yes. I set the timeout to short enough that It's unlikely that I'd have left the room before the system gets locked. And as long as Im in the room nobody will not be able to touch the keyboard or mouse unnoticed.

Lets turn this issue around. Here's a question for everybody who wants this change in the keyring manager:

Are you now locking your session when you leave it unattended? Have you set any timeout for automatic locking? Are you using the Guest Session for guest users instead of letting them access your personal user account? If not, then why are you demanding for extra security when you don't even bother to use the (really easy and simple) security measures you already have available?

edit: or are you perhaps only interested in security as long as it happens automatically, without you having to take any personal action or responsibility? Cause complaining about things in Internet is easier than learning to press a simple keyboard shortcut (or two clicks from the menu) when leaving your computer unattended?

Answer yes I lock the screen yes I have a timeout. and no I don't use the guest session due to ram limitations. Fianly yes every member of my family and even some of my friends have a user name on my computer. that doesn't change the fact that some times these measures are not used.

My post:
Currently, as some people have mentioned that all applications have access to keyring once a user is logged in. Why not have a system where ONLY the applications a user authorise can access keyring? And no it wont be a bother because one has to type the password the first time one is saving it. After that only the "xyz" application i have authorised would automatically access the password.

That way even if someone tries to run a script to get all my passwords, they wont be able to because their script wont be authorised to access keyring


first does that mean you wouldnt allow seahorse access to the passwords?
second this indicates that you have an app on your system that you dont trust, that is a bigger security flaw than having passwords on show, again the apps are open source the app can just rip all the stuff out of trusted app to make it appear that it is a trusted app.

I only stated what I want. I cant design it. I am not a coder.

No, it is not about whether you trust an app. Why would anyone WANT an app to have access to passwords it is not supposed to use? I am an auditor and I know that Auditing standards require limiting access to information to only that is needed. Plus that was in reply to those who said anyone can write an app and get your password even if it is not visible. It will protect it from that.

Are you a developer or technical guy? Can you please tell me why in the world a keylogger could be installed on Ubuntu without root password, if that is true as some has suggested. In Windows you need admin level access to install keyloggers.

Not true open source encryption depends on a random key. even with the source for the encryption method you still need that key.
that key still needs to be stored somewhere, with a password its in your head, if not it has to be stored somewhere.

Are you now locking your session when you leave it unattended?

I would if I could
https://bugs.launchpad.net/ubuntu/+source/indicator-session/+bug/436724
A low priority bug prevents me from protecting my passwords.

Have you set any timeout for automatic locking?
yes, but its not working. Same bug

Are you using the Guest Session for guest users instead of letting them access your personal user account?

Of course. unless Im there sitting next to them.

edit: or are you perhaps only interested in security as long as it happens automatically, without you having to take any personal action or responsibility?

No, not ONLY, but yes of course Im interested in more security that doesnt depend on my forgetfulness or (in)ability to lock my screen. Are you not?

I hear you on that. Its a question of how far you want to take it. You could keep you encrypted keys on a flash drive or memorize them. (I'm sure their are people out there that can do it.) Whatever all encryption really is is a very long password so the same rules would apply.

Woah! That bug P4man has pointed out should end the discussion. Only it would not

Woah! That bug P4man has pointed out should end the discussion. Only it would not

Did you read the bug report? It only happens if you have autologin enabled. So much for security when even the user session is configured to be accessible without a password...

Did you read the bug report? It only happens if you have autologin enabled. So much for security when even the user session is configured to be accessible without a password...

Read it again. Most users (me including) have it turned OFF

I only stated what I want. I cant design it. I am not a coder.

not wanting to be rude, but if you want to make a suggestion you need to understand the issues involved, or at least listen to the developers that do understand the issues, the developers dont think there is a problem, or at least dont think theres a way to make it more secure.


No, it is not about whether you trust an app. Why would anyone WANT an app to have access to passwords it is not supposed to use? I am an auditor and I know that Auditing standards require limiting access to information to only that is needed. Plus that was in reply to those who said anyone can write an app and get your password even if it is not visible. It will protect it from that.

i know my point is, it would be fairly easy at present to make one app look like another, if firefox is trusted, another app could just appear to be firefox to gain access to your firefox passwords.

Are you a developer or technical guy? Can you please tell me why in the world a keylogger could be installed on Ubuntu without root password, if that is true as some has suggested. In Windows you need admin level access to install keyloggers.
i wouldnt call my self a developer, but i do program, you dont need root access to install a program, i wouldnt have thought you would need root access for a keylogger, but ive never tried making one so its more of a guess then anything, but the issue is a bit moot anyway in my mind, if some one has physical access they could physically intercept input before the keyboard even reaches the pc.

Read it again. Most users (me including) have it turned OFF

Sorry, my bad. I just read through the end of the report and that's true. Besides, I have one machine running 9.10 with autologin enabled and it locks the display just as fine as others so the problem clearly is somewhere else. :)

Thats okay, and bugs happen, its not because this particular bug prevents me from locking my screen that it really changes the issue. I got a problem with the fundamental concept that allows anyone to view my passwords with am absolute minimum of effort or knowledge while Im expected to do a considerable effort typing my long and secure password God knows how often each day to perform fairly trivial tasks.

If my unlocked desktop is going to be fundamentally insecure at least Id like it to be convenient. If its gonna be inconvenient at least it should provide SOME protection from undetectable password/identity theft when I turn my back for 30 seconds.

By the way, it takes exactly as many mouse clicks to view wireless passwords (for example) through the Network Manager applet as it takes to read them through Seahorse...

But I must say that I hope they fix that session locking bug pretty soon, I'd hate to see that happening on any of my computers.. That would pretty much mean having to log out every time I leave my computer unattended. :/

By the way, it takes exactly as many mouse clicks to view wireless passwords (for example) through the Network Manager applet as it takes to read them through Seahorse...

Each will have different concerns. Personally I dont care about the wifi password. At home I even got one unsecured AP for guests or neighbors or anyone really since I dont mind anyone within range using my wifi (its unlimited and I dont live in a city or apartment block with people I dont know). I got a second AP with WPA protection, but even that I dont really care much if the password leaks. At work everyone knows the password anyway.

Im much more concerned about email/IM passwords being visible. Far more than I am about someone quickly glancing over my email behind my back. Or if one day Skype supports the keyring that would potentially be disastrous (you can be logged in to skype on more than 1 location simultaneously, with no way of knowing if someome else is logged in as you. Not too mention the money it might cost you).

By the way, it takes exactly as many mouse clicks to view wireless passwords (for example) through the Network Manager applet as it takes to read them through Seahorse...

But I must say that I hope they fix that session locking bug pretty soon, I'd hate to see that happening on any of my computers.. That would pretty much mean having to log out every time I leave my computer unattended. :/

Since the Network Manager screen showed me the same dummy "click here to allow access to keyring" screen as seahorse did before showing my wireless passwords in clear-view, I see the issues as being the same. The keyring should require elevated access (simply re-confirming your username and password) before allowing a password to be shown.

Funny how people complain about having to type in password to change CPU Scaling, but when it comes to my passwords...naaaaaaaaaaaaaah that's ok! You already confirmed it's you 8 hours ago when you logged in! ](*,)

i know my point is, it would be fairly easy at present to make one app look like another, if firefox is trusted, another app could just appear to be firefox to gain access to your firefox passwords.

Is that possible and easy? I really doubt. I can't recall the exact details but I what I remember is that in Windows this particular issue of apps presenting as another has been dealt with. I think that there was an issue with software firewall in Windows that allowed a malicious program to say, "Hey, I am Firefox.exe, please allow me" and then it could run. But something changed in Windows or firewalls so that this is not the case anymore.

i wouldnt call my self a developer, but i do program, you dont need root access to install a program, i wouldnt have thought you would need root access for a keylogger, but ive never tried making one so its more of a guess then anything, but the issue is a bit moot anyway in my mind, if some one has physical access they could physically intercept input before the keyboard even reaches the pc.


If keylogger cannot be installed without sudo, it means that keyring's *show password button* (or its willingness to give access to all passwords to every app) is the only way for the person to get the passwords. As far as physical keylogger or devices are concerned, those are obviously no where as stealthy and free as software keylogger.

not wanting to be rude, but if you want to make a suggestion you need to understand the issues involved, or at least listen to the developers that do understand the issues, the developers dont think there is a problem, or at least dont think theres a way to make it more secure.

Why is there such animosity towards the obvious solution of requiring an additional password to view the password in plaintext? As I posted originally, that's what KeepassX does (if you ask it).

It would certainly solve the issue being raised here.

Please don't argue why doing so isn't necessary - that's already been argued over 290 odd posts. All I'm interested in is "why all the resistance to a seemingly common-sense fix?".

If keylogger cannot be installed without sudo, it means that keyring's *show password button* (or its willingness to give access to all passwords to every app) is the only way for the person to get the passwords. As far as physical keylogger or devices are concerned, those are obviously no where as stealthy and free as software keylogger.

This isn't about stopping keyloggers, hackers, thieves or such. This is about forgetting to lock your PC/laptop, say at work, while you pop away for a coffee. Then a subordinate/malicious staff member can't resist temptation and fires up seahorse and memorises your gmail account. Now he can sit for the next 6 months/however long until your change your gmail password, at home, reading all your e-mail and you'll never, ever know.

[edit : Keylogging without sudo appears to be possible : http://distrojockey.com/2005/ultimate-linux-keylogger-uberkey.190.linux, but reports on Uberkey appear to suggest that it's just not very reliable]

Why is there such animosity towards the obvious solution of requiring an additional password to view the password in plaintext? As I posted originally, that's what KeepassX does (if you ask it).

It would certainly solve the issue being raised here.

Please don't argue why doing so isn't necessary - that's already been argued over 290 odd posts. All I'm interested in is "why all the resistance to a seemingly common-sense fix?".

because doing so wouldnt make the system inherently any more secure, it would just make it seem so. keepassx (i assume)unencrypts the password when you enter the password, then when you exit, it re encrypts it, that fine, you cant do that with the passwords seahorse looks after because they are needed all the time, so it has to remain unlocked all the time, the only way to re encrypt them is to log out or lock the screen.

Please don't argue why doing so isn't necessary - that's already been argued over 290 odd posts. All I'm interested in is "why all the resistance to a seemingly common-sense fix?".

There is resistance because of an "I'm smarter than you, I'm not giving you the option because I know what's best." attitude. Non-techie people I speak to regarding this denounce the attitude as "paternal" and are shocked at the stated argument against this request.

Quote: "So they're trying to teach you a lesson, so you'll know better to lock your screen next time? I guess identity theft isn't that big a deal to them."

This isn't about stopping keyloggers, hackers, thieves or such. This is about forgetting to lock your PC/laptop, say at work, while you pop away for a coffee. Then a subordinate/malicious staff member can't resist temptation and fires up seahorse and memorises your gmail account. Now he can sit for the next 6 months/however long until your change your gmail password, at home, reading all your e-mail and you'll never, ever know.

Haha. Thats what I am saying. No clear text passwords. That is effective against a lot of people.

My reply was to those who said, "Oh, why are you worrying about show passwords button. Even if there were no clear passwords the person could install a keylogger." And I said that you need sudo password to do that which that person would not have. So some people said you dont need sudo to install keylogger. I find that odd since in windows you need admin level access.

because doing so wouldnt make the system inherently any more secure, it would just make it seem so. keepassx (i assume)unencrypts the password when you enter the password, then when you exit, it re encrypts it, that fine, you cant do that with the passwords seahorse looks after because they are needed all the time, so it has to remain unlocked all the time, the only way to re encrypt them is to log out or lock the screen.

I don't think Yahoo and MSN and other messenger services and webmails need it ALL the time. You need password ONLY when you log in.

If keylogger cannot be installed without sudo, it means that keyring's *show password button* (or its willingness to give access to all passwords to every app) is the only way for the person to get the passwords. As far as physical keylogger or devices are concerned, those are obviously no where as stealthy and free as software keylogger.

They can be installed without "sudo" or any administrative privileges. Lots of software can be installed that way, the difference is that without such privileges the programs are installed for that user only, while installing anything system-wide requires root privileges.

Many programs don't require any specific installing and can simply be extracted somewhere and run that way. Logging key presses is simple and easy, and user level programs are able to read from keyboard so there's nothing preventing such program from working even if it's not installed system-wide.

Still, keylogger for your account only would be a rather nasty thing anyway, which is exactly the reason why i've been saying that protecting your session is high priority, and whatever the keyring manager does is pretty much just a small detail compared to that. Compromised session means that the passwords are compromised as well.

Of course it's been argued that installing a keylogger or reading the passwords through other means is too hard for most of the people and thus it's not a concern (I disagree, although based on how many times a week I need to help somebody on these forums to change their keyring password I'm starting to feel that accessing the passwords through the Keyring Manager is too hard for most of the people.. :D)

Haha. Thats what I am saying. No clear text passwords. That is effective against a lot of people.

My reply was to those who said, "Oh, why are you worrying about show passwords button. Even if there were no clear passwords the person could install a keylogger." And I said that you need sudo password to do that which that person would not have. So some people said you dont need sudo to install keylogger. I find that odd since in windows you need admin level access.

I just googled around a bit and found a keylogger. From its webpate:
LKL is a userspace keylogger that runs under Linux on the x86 architechture. LKL sniffs and logs everything that passes through the hardware keyboard port (0x60). It translates keycodes to ASCII with a keymap file.

Sounds like it doesnt require root to run, but I cant install it without putting sudo before the make install command

because doing so wouldnt make the system inherently any more secure, it would just make it seem so. keepassx (i assume)unencrypts the password when you enter the password, then when you exit, it re encrypts it, that fine, you cant do that with the passwords seahorse looks after because they are needed all the time, so it has to remain unlocked all the time, the only way to re encrypt them is to log out or lock the screen.

Fundamentally disagree - doing so would make the system slightly more secure. Not "secure", but "slightly more secure" and would remove this thread from relevance because it fixes the scenario I posted about just there (about passerby seeing all your passwords while you're at the water cooler).

But back to my my question - why all the animosity? Nearly 300 posts of argument? Over something easily fixed? I've read EVERY post. It's soul destroying to read and it's bad for the image of Ubuntu when an easily fixed security issue is defended to the death like this.

I just wanted to understand where all that defending is coming from.

Haha. Thats what I am saying. No clear text passwords. That is effective against a lot of people.

My reply was to those who said, "Oh, why are you worrying about show passwords button. Even if there were no clear passwords the person could install a keylogger." And I said that you need sudo password to do that which that person would not have. So some people said you dont need sudo to install keylogger. I find that odd since in windows you need admin level access.

You don't need admin level access in Windows either, believe me. Only if you want to install one system-wide (as opposed to only the user account you have accesss to), or hide it very well, which is exactly the same as it's in Linux

I just googled around a bit and found a keylogger. From its webpate:


Sounds like it doesnt require root to run, but I cant install it without putting sudo before the make install command


LKL needs sudo to install, because it logs everything to /var/log by default. The Uberkey software I posted about only writes to std out, so it's a different story.

Google them though and you'll find that both are horrendously choppy in every day use unless you really know what you're doing.

Again, this thread isn't about keylogging, compromises, hacking or the like. It's about temptation and opportunism of someone noticing an unlock PC and thinking "I wonder...?". Seahorse could easily resolve this with a password prompt, but chooses not to.

I wonder why?

Is that possible and easy? I really doubt. I can't recall the exact details but I what I remember is that in Windows this particular issue of apps presenting as another has been dealt with. I think that there was an issue with software firewall in Windows that allowed a malicious program to say, "Hey, I am Firefox.exe, please allow me" and then it could run. But something changed in Windows or firewalls so that this is not the case anymore.

i suppose if you built it into the kernel, it would be able to stop one app masquerading as another, but seahorse/gnome keyring just uses an api and i dont see how you could prevent it, having said that i dont know how windows does it so i dont know, anyway the work around would just be to read the unencrypted keys directly


If keylogger cannot be installed without sudo, it means that keyring's *show password button* (or its willingness to give access to all passwords to every app) is the only way for the person to get the passwords. As far as physical keylogger or devices are concerned, those are obviously no where as stealthy and free as software keylogger.
a keylogger can be installed without sudo, im not as sure whether it would run without sudo (as i say ive never tried making one, i fairly sure tho that the reason sudo doesnt echo anything on password input is to defeat keyloggers).regarding the physical keylogger, how often do you check behind you pc? all you need is something to intercept the signal inbetween the keyboard and pc, regardless if someone really wanted to they could just reboot your pc into rescue mode to get root access and install a keylogger that way,and get your passwords etc.

LKL needs sudo to install, because it logs everything to /var/log by default. The Uberkey software I posted about only writes to std out, so it's a different story.

Google them though and you'll find that both are horrendously choppy in every day use unless you really know what you're doing.

Again, this thread isn't about keylogging, compromises, hacking or the like. It's about temptation and opportunism of someone noticing an unlock PC and thinking "I wonder...?". Seahorse could easily resolve this with a password prompt, but chooses not to.

I wonder why?

I completely agree with you.
Its like some weird "linux is perfect but its users suck" attitude.

They can be installed without "sudo" or any administrative privileges. ....for that user only, while installing anything system-wide requires root privileges.

Many programs don't require any specific installing and can simply be extracted somewhere and run that way. Logging key presses is simple and easy, and user level programs are able to read from keyboard so there's nothing preventing such program from working even if it's not installed system-wide.



I am very new to Linux so I don't understand its way of doing things yet. But I had the impression that ubuntu or linux would have every relevant security measure that Windows has and some more. If Windows can restrict installation of keylogger to admin level, why can't Ubuntu? Or rather, why it doesnt?


Of course it's been argued that installing a keylogger or reading the passwords through other means is too hard for most of the people and thus it's not a concern (I disagree, although based on how many times a week I need to help somebody on these forums to change their keyring password I'm starting to feel that accessing the passwords through the Keyring Manager is too hard for most of the people.. :D)

Haha

Fundamentally disagree - doing so would make the system slightly more secure. Not "secure", but "slightly more secure" and would remove this thread from relevance because it fixes the scenario I posted about just there (about passerby seeing all your passwords while you're at the water cooler).

in that case lock the screen before you leave, they can still easily get the passwords another way, they still have access to all you private files.
you can come up with a what if scenario for everything, if the developers did something about every one, you would most likely have an unusable system that nobody would use


But back to my my question - why all the animosity? Nearly 300 posts of argument? Over something easily fixed? I've read EVERY post. It's soul destroying to read and it's bad for the image of Ubuntu when an easily fixed security issue is defended to the death like this.

I just wanted to understand where all that defending is coming from.
its not animosity, its just a pretty central design decision of linux is not to make things appear more secure than they are, hiding the password would not make the system more secure, its security through obscurity, read the link i posted about pidgin, or the reply from the seahorse
dev they both say the same. if you want it to be actually secure, lock the screen, if windows hides its passwords, its not anymore secure, they may have an advantage of closed source and use lots of obfuscation but it isnt secure.

I am very new to Linux so I don't understand its way of doing things yet. But I had the impression that ubuntu or linux would have every relevant security measure that Windows has and some more. If Windows can restrict installation of keylogger to admin level, why can't Ubuntu? Or rather, why it doesnt?

Their reasoning might be "If someone can get a keylogger on your system, they can probably also [insert something ridiculous here] so we won't lead you to believe your system is secure because [blahblahblahblahblah] lock your screen."

](*,)

if the developers did something about every one, you would most likely have an unusable system that nobody would use

I doubt the system would break down if a password prompt were given any time someone wants to view the saved passwords.

:roll:

I believe the answer to the question was already given early on. This is how the developers made it, if you don't like it, don't use their software.

*looks at recent marketshare numbers*

Looks like the people have made their choice

=D>

Those who are rigidly against any change have not been able to answer this simple question:
What is relatively more secure:
a) 9 out of 10 people can steal my passwords
b) 2 out of 10 people can steal my passwords


Because the question is misleading and does not consider the bigger picture. Of course the second answer sounds better, but you are conveniently ommiting the fact that the context is: such people are already logged in as you.

I can make the following question, what is relatively more secure:

a) people take 1 minute to steal your passwords
b) people take 10 minutes to steal your passwords

Following your logic, (b) is obviously the correct answer and thus we have a case for requiring 120 different passwords before opening up the keyring.

Those who say "don't let them use it, if you don't trust" fail to appreciate the fact in real life an extremely large number of people are NEITHER absolutely trustworthy nor absolutely untrustworthy. We may trust a person with one thing (e.g. they wont install keyloggers) but not with another (e.g. if a password is right in front of them they might be tempted to use it). Also, you guys fail to realise that there is a big difference in professional thieves or determined hackers and opportunists. Opportunists can be everywhere but most people don't have people with scripting knowledge around them.

You are confusing "trustworthy" with "technically capable". One has nothing to do with the other. I have several friends who I'd let use my computer for five minutes and know that, if I had a file named my_bank_password.txt in the desktop, they would not open it. That's why I consider them my friends in the first place.

On the other hand, if I thought, even for a second, that a person would open that file, I would never let him use my account, period. I don't care if he's the most stupid, retarded, technically incapable person in the world who doesn't know how to double-click to open a file. He would not touch my account. End of story.

There is no such thing as "half-trustworthy". That's the concept I'm having more difficult to grasp when I see someone complaining about the current policy. Why doesn't anyone seem to have a problem with anyone being capable of nuking your entire home directory with "rm -rf ~" (or better, opening nautilus, selecting everything, pressing del and emptying the trash) if you leave your computer without locking your screen?

It would be security through obscurity if it were the ONLY measure. It is an additional layer that we want that would protect us from 90% of the people. Thinking that a user would never ever forget to lock the screen is seriously flawed. We want a system where in the rare case we forget to lock the screen, we would still be protected from 90% of the people. Currently, our passwords are vulnerable to almost 9 out of 10 people, in case we forget to lock screen.

Bogus statistics. It's 9 out 10 people who would be interested in it.

I hate the car analogy here (lol) but I have to say this. Some thieves are professionals and some are opportunists. Some professionals have jammers that would render the tracker you have installed useless. Does it mean tracking is useless just because a few can get past it? On top of that there are thieves:

(...)

We have different security measures for all these types and not JUST for the most advanced and professional thief.

And all of those are useless if you give the thief the key.

If you think the *show passwords button* is there to make the user lock the screen, why not have the passwords displayed ON the desktop background. That is thousand times more likely to make a person lock the screen. Seriously, tell me?

There's a difference between "it's that way because the user should lock the screen" and "it's that way to make the user lock the screen". You are missing the point.

i suppose if you built it into the kernel, it would be able to stop one app masquerading as another, but seahorse/gnome keyring just uses an api and i dont see how you could prevent it, having said that i dont know how windows does it so i dont know, anyway the work around would just be to read the unencrypted keys directly

Only authorised apps should be able to access encrypted passwords. They should be allowed to access to only the passwords associated with them. Apps should not be allowed to masquerade as another. Since the passwords are required by apps only at the time of sign in of respective apps, the passwords should get encrypted again.

You may or may not know how to do it, I certainly don't. But I am sure can be done because I know some of it has been done elsewhere.

a keylogger can be installed without sudo, im not as sure whether it would run without sudo (as i say ive never tried making one, i fairly sure tho that the reason sudo doesnt echo anything on password input is to defeat keyloggers).regarding the physical keylogger, how often do you check behind you pc? all you need is something to intercept the signal inbetween the keyboard and pc, regardless if someone really wanted to they could just reboot your pc into rescue mode to get root access and install a keylogger that way,and get your passwords etc.

Thats the point, how many people are roaming around carrying physical keyloggers in their pockets. Thats the whole point of our wanting this feature. Because most people can click a show passwords button and get passwords but are not able to do other stuff like keyloggers.

I am very new to Linux so I don't understand its way of doing things yet. But I had the impression that ubuntu or linux would have every relevant security measure that Windows has and some more. If Windows can restrict installation of keylogger to admin level, why can't Ubuntu? Or rather, why it doesnt?

as mcduck posted previously windows only needs a password to install it system wide, the same with linux.
linux does have every relevant security measure that windows has, it just doesnt consider security through obscurity to be relevant.


I completely agree with you.
Its like some weird "linux is perfect but its users suck" attitude.

its not a users suck attitude, it just credits them with some intelligence, if something isnt secure, it wont tell you it is.

how about i swap this around, windows doesnt show passwords, does that make it more secure? well you cant see it in the menu, but some one who know what they doing can see it.
result, people think their passwords are secure and so will happy enough to leave their system unlocked, yes it may stop 8/10 people snooping but what happens when the 5th person comes along who knows what theyre doing? yes youve lost your passwords.
linux on the other hand doesnt try to hide it the user knows its not secure so hopefully they lock it, then it is secure from everybody.
yes you could argue "but they dont know you can see passwords" the answer to that is education, plus if you say that then you have to accept that many others wont know either, so you back to the 8/10 people argument.
you could also say "what if they forget to lock it", what if i forget to lock my car, my house, shred my bank statements?

I am very new to Linux so I don't understand its way of doing things yet. But I had the impression that ubuntu or linux would have every relevant security measure that Windows has and some more. If Windows can restrict installation of keylogger to admin level, why can't Ubuntu? Or rather, why it doesnt?

Like I said, you can install one in Windows as well. You only need admin privileges to install one system-wide (to be bale to monitor all user accounts and the login password). Or if you want to hide it so well that it can't be seen in the process list, for example.

For all basic keylogging tasks all you need is access to unlocked session: No matter if the OS is Linux, OSX or any Windows version.

Besides, you don't really even need to install anything for basic keylogging. I just tried, out of pure interest, if it's possible to log keyboard input with the basic tools already available by default. Seems quite easy, actually, and I'm not even a programmer and only have very basic shell scripting skills.. ( I used xev to read the keyboard, and xwininfo to get the window id of Firefox window to tell Xev what window to monitor. I'm sure there's more efficient ways to do this but these were the first tools that came to my mind and they were enough to log all keyboard and mouse input in Firefox into a text file. Enough to get all your website passwords..)

I believe the answer to the question was already given early on. This is how the developers made it, if you don't like it, don't use their software.

Trollishly distorting what people said won't get you anywhere.

The mailing list was pointed out several times, and developers are replying to questions there. The list is open to anyone who is interested in contributing to the discussion.

how about i swap this around, windows doesnt show passwords, does that make it more secure? well you cant see it in the menu, but some one who know what they doing can see it.
result, people think their passwords are secure and so will happy enough to leave their system unlocked, yes it may stop 8/10 people snooping but what happens when the 5th person comes along who knows what theyre doing? yes youve lost your passwords.
linux on the other hand doesnt try to hide it the user knows its not secure so hopefully they lock it, then it is secure from everybody.
yes you could argue "but they dont know you can see passwords" the answer to that is education, plus if you say that then you have to accept that many others wont know either, so you back to the 8/10 people argument.
you could also say "what if they forget to lock it", what if i forget to lock my car, my house, shred my bank statements?

Im all for solving this problem fundamentally. But until such a solution is even on the horizon, a pragmatic approach to make stealing passwords a lot harder, if not impossible for 99% of the potential identity thieves out there, gets my vote.

If you dont want to give users a false sense of security then add a simple popup saying "warning, you need to enter you password to view your passwords, but that doesnt mean they are secure from keyloggers or other means. Always lock your screen blablablabl"

I find that a far better compromise than allowing easy identity theft by anyone.

Only authorised apps should be able to access encrypted passwords. They should be allowed to access to only the passwords associated with them. Apps should not be allowed to masquerade as another. Since the passwords are required by apps only at the time of sign in of respective apps, the passwords should get encrypted again.

You may or may not know how to do it, I certainly don't. But I am sure can be done because I know some of it has been done elsewhere.

the seahorse keyring is decrypted when you log in using your login password, so they arent encrypted whilst youre logged in


Thats the point, how many people are roaming around carrying physical keyloggers in their pockets. Thats the whole point of our wanting this feature. Because most people can click a show passwords button and get passwords but are not able to do other stuff like keyloggers.
they dont need a keylogger to get passwords
its this simple http://michael.susens-schurter.com/blog/2008/10/30/listing-all-passwords-stored-in-gnome-keyring/, plus how would this feature defeat keyloggers, keyloggers log keys, not scrape screens.

Also, remember the Pidgin stores your account passwords in plaintext on your hard disk. Pidgin doesn't use the keyring, and AFAIR the Pidgin developers aren't interested in doing this either. Empathy does store your account passowrds correctly though

pidgin stores the plaintext password in a file that is only accessible to the user of the password.

Just what type of problem do you have with that?

pidgin stores the plaintext password in a file that is only accessible to the user of the password.

Just what type of problem do you have with that?

There is a subtle yet important difference: the machine admin or a user with a live CD is able to read Pidgin passwords (if the home is not encrypted).

That does not happen with passwords in the keyring because they are encrypted.

That's why Pidgin devs recommend not to save passes at all.

Im all for solving this problem fundamentally. But until such a solution is even on the horizon, a pragmatic approach to make stealing passwords a lot harder, if not impossible for 99% of the potential identity thieves out there, gets my vote.

If you dont want to give users a false sense of security then add a simple popup saying "warning, you need to enter you password to view your passwords, but that doesnt mean they are secure from keyloggers or other means. Always lock your screen blablablabl"

I find that a far better compromise than allowing easy identity theft by anyone.

the problem has been fundamentally solved, locking the screen.

plus i dont see how popping up a message when you want to view passwords would help if they dont intend to view them, a message on installation, or first login would be better.

plus why do you keep making reference to keyloggers, no amount of not showing passwords will help

Trollishly distorting what people said won't get you anywhere.

Quote below:

Have none of you read the security philosophy linked early in the thread? That's the philosophy of the developers, and they aren't going to change it. If you're really terrified of it, go to another OS.

There is a subtle yet important difference: the machine admin or a user with a live CD is able to read Pidgin passwords (if the home is not encrypted).

That does not happen with passwords in the keyring because they are encrypted.

That's why Pidgin devs recommend not to save passes at all.

plus the fact that if someone has that much access to your pc anyway, unless its properley secured they basically have access to anything they want anyway, including your keyring.

Quote below: Have none of you read the security philosophy linked early in the thread? That's the philosophy of the developers, and they aren't going to change it. If you're really terrified of it, go to another OS.

Nice try. But that person wasn't the only one who has replied to you. Trollishly selecting what some people said is trollishly distorting what people, as a whole, said.

Because the question is misleading and does not consider the bigger picture. Of course the second answer sounds better, but you are conveniently ommiting the fact that the context is: such people are already logged in as you.

I can make the following question, what is relatively more secure:

a) people take 1 minute to steal your passwords
b) people take 10 minutes to steal your passwords

Following your logic, (b) is obviously the correct answer and thus we have a case for requiring 120 different passwords before opening up the keyring.



Duh! It is always a matter time!!! What are you suggesting? Pray tell? To have either 120 passwords or just one? We want something in between.

By your logic one should have either one letter sudo passwords or 120. But the fact is that something in between like 8 to 16 are reasonable.

You are confusing "trustworthy" with "technically capable". One has nothing to do with the other. I have several friends who I'd let use my computer for five minutes and know that, if I had a file named my_bank_password.txt in the desktop, they would not open it. That's why I consider them my friends in the first place.

On the other hand, if I thought, even for a second, that a person would open that file, I would never let him use my account, period. I don't care if he's the most stupid, retarded, technically incapable person in the world who doesn't know how to double-click to open a file. He would not touch my account. End of story.

There is no such thing as "half-trustworthy". That's the concept I'm having more difficult to grasp when I see someone complaining about the current policy.

Thats the whole point. Real life is different from the text book of computing.

Extremely large number of people are not "absolutely trustworthy for absolutely everything". Different situations, objects etc involved and the levels of risk one is willing to take with regard to the situation, object and the person being evaluated, could mean different evaluations of trustworthiness.

For example, I could trust a coworker with my pen but if I give it to a stranger I would keep him in my sight lest he runs away. Still, I would not trust just any coworker with 1,000 dollars. My close friend, I can. And yet, I might not want that friend to know about my sensitive family issues. I could trust all of this with my family and yet I might not want them to know about something very naughty that only my closest buddy knows.

Why doesn't anyone seem to have a problem with anyone being capable of nuking your entire home directory with "rm -rf ~" (or better, opening nautilus, selecting everything, pressing del and emptying the trash) if you leave your computer without locking your screen?


Because that is much harder to get away with. Plus it is not as tempting as stealing passwords and then stalking mails.

the problem has been fundamentally solved, locking the screen.

Thats hilarious.


plus i dont see how popping up a message when you want to view passwords would help if they dont intend to view them, a message on installation, or first login would be better.

You were the one saying linux doesnt want to give a false impression of security. Fine, I can live with that. If putting a password on seahorse gives that false impression (which would be your point against setting one, or did I misunderstand you?) then add the popup to undo that false impression. Then what is the problem? You are happy, I am happy and a lot less identity thefts will occur.


plus why do you keep making reference to keyloggers, no amount of not showing passwords will help

Again, because that is your argument against a password on seahorse. Its true a password on seahorse doesnt save you from keyloggers or other means, and its not a substitute to locking your screen, so again add that message to the seahorse password popup (or elsewhere too if you want) to avoid that false impression. Im not against educating users at all (especially in a popup one would see no more than a few times per year,)

300+ posts in two days is animosity. This thread is horrendously off-topic now with talk of keyloggers and such and it's being kept alive by about 4 posters with utterly opposing and completely blinkered points of view, my own included.

There is not one argument you can present that makes me comfortable about this utter lack of security in Ubuntu. Someone already posted earlier that the same is true of network-manager - true. Worse, since I use PEAP for my wireless here at work, anyone with 45 second of access to my unlocked laptop here at work will now have my considerably powerful active directory password!

Completely and utterly shocking. There is simply NO DEFENCE for such an utter lack of basic security.

To summarise,

No, adding a password prompt to view stored passwords on my system won't fully protect me if I'm stupid enough to leave my work laptop unlocked at my desk for 5 minutes, but it WILL add another layer of security and remove temptation from the vast majority of those who might otherwise have a go.

Now, thanks to this thread, I have to go and remove Seahorse and ensure that Network Manager doesn't remember my PEAP WIFI password.

Why? Because I live in the real world and there's a small risk that I might just be stupid/distracted enough to leave my laptop open unlocked.

Diabolical. And to those defending this? Please stop.

Nice try. But that person wasn't the only one who has replied to you. Trollishly selecting what some people said is trollishly distorting what people, as a whole, said.

/sigh

:roll:

Here is my quote again:

I believe the answer to the question was already given early on.

Please show me, where in this quote did I imply this was the answer given by the whole, or even the majority of respondents in this thread?

I simply said this was the correct one.

I usually loathe correcting people on simple mistakes, but you are inferring things which simply weren't said and I refuse to be attacked because you misread a sentence.

Can we get back on topic please? :popcorn:

Lets just agree to disagree. At any rate, I am out of here.

Lets just agree to disagree. At any rate, I am out of here.

Me too, but I reserve the right to come back with a "!Boom Baby!", when this is finally fixed :)

Me too, but I reserve the right to come back with a "!Boom Baby!", when this is finally fixed :)

I'm also unsubscribing. I think someone posted a discourse with the developer list earlier on? I'll maybe check back from time to time to see if there's been any movement with that.

Thats hilarious.

how ???

You were the one saying linux doesnt want to give a false impression of security. Fine, I can live with that. If putting a password on seahorse gives that false impression (which would be your point against setting one, or did I misunderstand you?) then add the popup to undo that false impression. Then what is the problem? You are happy, I am happy and a lot less identity thefts will occur.

putting a password in seahorse is secure, in as far as its encrypted when you arent logged in, when you are logged in it isnt, it is available to everything, in that case pretending it isnt available is giving a false sense of security

Again, because that is your argument against a password on seahorse. Its true a password on seahorse doesnt save you from keyloggers or other means, and its not a substitute to locking your screen, so again add that message to the seahorse password popup (or elsewhere too if you want) to avoid that false impression. Im not against educating users at all (especially in a popup one would see no more than a few times per year,)
i didnt start the conversation on key loggers, as i have posted before a keylogger logs keys, it doesnt read your screen, in the case that i had a keylogger, i would prefer to have the passwords easily available so i can copy and paste them rather than typing them in.

how ???

putting a password in seahorse is secure, in as far as its encrypted when you arent logged in, when you are logged in it isnt, it is available to everything, in that case pretending it isnt available is giving a false sense of security

Sigh. how can it pretend being safe when it tells you in a big popup its NOT safe? This is getting ridiculous. You're promoting deliberately decreasing the security of the identity of the majority of people in the majority of scenarios just to avoid misleading a tiny minority that makes wrong assumptions and cant read the contents of a dialogue. Thats a GREAT approach to security.

Ill tell you this, your avatar is fitting.

Im out of this discussion too, might as well argue with a brick wall

This is my farewell as well this thread is out of hand. I'll leave with this:
http://live.gnome.org/GnomeKeyring/SecurityPhilosophy
To summarize Gnome has two classes of attack passive and active. The way things are now will protect you from passive attack while preventing a "security theater" Gnome considers this issue an active attack witch they admit we the user are not protected against. Gnome claims that there is no real way currently to protect against active attacks without creating a "security theater" The issue is not an easy fix.

I believe that the aforementioned message with the password prompt would satisfy the requirement without creating a "security theater" in the interim while a hardened solution is being worked on.

Duh! It is always a matter time!!! What are you suggesting? Pray tell? To have either 120 passwords or just one? We want something in between.

Eh, no. You missed the point entirely.

I was merely pointing out that giving two choices without giving the full context is pointless.

The full context in my case: without considering the fact that I'm proposing 120 passwords, option (b) is obvious. Considering it, it's not.

The full context in your case: without considering the fact that you are only talking about people already logged in as you in the first place, option (b) is obvious. Considering it, it's not.

Extremely large number of people are not "absolutely trustworthy for absolutely everything". Different situations, objects etc involved and the levels of risk one is willing to take with regard to the situation, object and the person being evaluated, could mean different evaluations of trustworthiness.

I agree. And in the current case, it simply means locking the screen or not.

For example, I could trust a coworker with my pen but if I give it to a stranger I would keep him in my sight lest he runs away. Still, I would not trust just any coworker with 1,000 dollars. My close friend, I can. And yet, I might not want that friend to know about my sensitive family issues. I could trust all of this with my family and yet I might not want them to know about something very naughty that only my closest buddy knows.

This all applies to the current policy. You trust, let them use your account. You don't trust, create a guest account. Can you forget to lock the screen? Sure. As you can forget money over the table, you can forget your diary open in an embarassing page and you can fail to notice someone overhearing when confiding to a friend. But I doubt you get all paranoid over that.

Because that is much harder to get away with. Plus it is not as tempting as stealing passwords and then stalking mails.

In your opinion and in your case. If you want to claim you are worried about security, treat data and passwords with equal importance because for a lot of people data is more important than passwords. Otherwise you are being unfair.

Please show me, where in this quote did I imply this was the answer given by the whole, or even the majority of respondents in this thread?

I simply said this was the correct one.

And it was not, as evidenced by other responses. That's my point.

I usually loathe correcting people on simple mistakes, but you are inferring things which simply weren't said and I refuse to be attacked because you misread a sentence.

You were claiming something that isn't true, and insulting the developers in the process.

If you dont want to give users a false sense of security then add a simple popup saying "warning, you need to enter you password to view your passwords, but that doesnt mean they are secure from keyloggers or other means. Always lock your screen blablablabl"

I find that a far better compromise than allowing easy identity theft by anyone.

+1

This a) solves the real-life situations that many people have described where non-technical snoopers view passwords in clear text, b) takes the opportunity to educate users as to appropriate security measures, and c) is entirely consistent with the much-cited security philosophy of not engaging in "security theater".

This does not have to be a zero-sum game, folks. A solution like this takes everyone's viewpoint into account and makes Ubuntu better and its users more informed in the process. Isn't that what we should be striving for, instead of "winning" the argument?

There is not one argument you can present that makes me comfortable about this utter lack of security in Ubuntu. And you think any other OS is better??? Just give me 5 minutes alone with your running Windows desktop and I will have all the passwords from there too, no matter if they were protected by "********" fields or not.

It's a simple fact: As soon as someone has physical access they can pretty much do whatever they want. If you are so "nice" and leave your desktop unlocked .... even better. And the OS doesn't even matter.

anyone with 45 second of access to my unlocked laptop here at work will now have my considerably powerful active directory password! Of course. Duh. And it doesn't even matter if Linux or Windows: Someone with the right knowledge will also easily get those passwords out of a Windows session. Been there, done that.


Completely and utterly shocking. There is simply NO DEFENCE for such an utter lack of basic security. There is no defence for leaving your laptop unlocked when you walk away. Ctrl+Alt+L ... taddaaaa, Screensaver + screen is locked. What's so hard about that? You don't go out of your house and leave it unlocked? How shocking: Unlocked houses are insecure and might invite intruders!! Big news, LOL.

Now, thanks to this thread, I have to go and remove Seahorse and ensure that Network Manager doesn't remember my PEAP WIFI password. I will simply walk to your laptop, use the "killall" command plus a few extra-parameters and send your Network-Manager a few nice signals and make it drop a memory dump .... and while you're away I will upload that memory dump to "somewhere else". You will return to your laptop and not even realise what just happened. In the meantime I will sieve through that memory dump and obtain your password that way .... So removing seahorse won't make you safer than before. Leaving your laptop open would still compromise you and it would still be a very stupid thing to do. An intruder would just have to change their attack vector, but that's about it. With the laptop being open they can pretty much do what they want.

Because I live in the real world Me too. I always lock my laptop. ALWAYS. Whenever I catch my IT apprentices leaving their machines unlocked I FORMAT those machines so they have to reinstall. So far I only had to do this once. Those youngsters are quick learners. Why aren't you?

and there's a small risk that I might just be stupid/distracted enough to leave my laptop open unlocked. Well ... if you trust your colleagues then this probably isn't a problem. And if you don't have an admin like myself who would mercilessly format your laptop in order to punish and educate you .... Even better. But then again: Maybe you should work on your concentration issues and focus more on what you're doing and why in the here and now?

Damn!! There have been over ten pages of replies since I last looked before I went to bed last night. I'm not going to read them, but it seems that the debate has gone waaayy downhill.

Putting all arguments about sudo/security philosophy/linux/windows and everything else aside, I do believe that just a simple change of location for the Passwords and Keyrings application (Seahorse) to Preferences would hopefully make it less obvious.

If nothing else is going to be done, then that's the least they can do. At least everyone's happy then.

Rather than arguing endlessly here, I wrote the below email to the seahorse mailing list. I did so before I subscribed to it, so can anyone who is also subscribed confirm he or she received it? This is what I sent:

Hello everyone,

First of all allow me to express a big THANK YOU for all the hard work you guys put into making gnome one the best desktop environments out there.

But even the best can be improved. You are probably aware there is some controversy over the fact seahorse allows a user to view clear text passwords without any authentication. There is a 300+ post on the topic on the ubuntu forums which I would advice you not too read unless you're terribly bored and like reading circular arguments about car analogies. Instead, let me try and summarize the relevant arguments I have been able to find, and humbly propose a solution.

People defending the current implementation have a few valid arguments. They claim hiding passwords that reside on disk unencrypted does not add real security, only perceived security. They argue such false sense of security ("security theatre" seems to be the popular phrase) actually diminishes security and users should be taught to lock their screens instead. They also argue physical access = root access anyway, and apps like pidgin store passwords in clear text by design for the above reasons. Some add more nonsensical arguments that I will spare you.

People who object to the current implementation (which includes yours truly) argue that the current implementation makes it far too easy for anyone even with no computer skills to obtain someone's identity. It takes less than 10s to click a few menu's and reveal someone's wifi or email password, which is a great security breach (far more than just being able to read emails while the owner is away from his screen). Locking the screen is a good habbit but in real life people will not always do this, and even a screensaver / auto lock is not a good solution as that would take several minutes during which a curious collegue could grab your mouse in your absense and obtain your passwords without you ever knowing.

Now, I can appreciate the philosophy of not giving false sense of security and security through obscurity is not a solution either. Requiring a password to view clear text passwords stored in the keyring does not protect a user from more sophisticated attacks and could indeed increase the perceived secuity. Therefore I would suggest a pragmatic solution that I think should satisfy everyone. I would suggest passwords in seahorse are not visible without re authentication of the user, but at the same time I would use the password dialogue box to warn the user that despite this authentication request, his passwords are NOT secure or encrypted as long as he is logged in, and he should lock his screen and/or close the keyring to avoid identity theft.

To me this sound like a fairly simple solution that will render identity theft by regular desktop users a whole lot less likely, while at the same time educating the user how to protect himself from more skilled potential identity thieves who know how to install a keylogger or where to find on unscramble stored passwords. It secures users against the majority of potential identity thieves, it provides no false sense of security (quite on the contrary) and it educates the users. Everyone wins :)

I hope you will consider this solution,

Bob.

I hope the seahorse developers are more prone to reason and pragmatism then some posters here.

P4man this is for you not here to argue any more. I just got this from the mailing list


This is really a gnome-keyring question. Seahorse is no different than
> any other application on the Desktop when it comes to accessing
> passwords in the keyring.
>
> gnome-keyring-daemon has a very hard time differentiating between
> different applications.
>
> FWIW, I'm sure you've already read the security philosophy here:
> http://live.gnome.org/GnomeKeyring/SecurityPhilosophy
>
> The first and foremost 'real' thing we can do, to make all these
> security dreams a reality, is help Linux get a concept of signed
> applications (think iPhone, Mac OS) ... Or some other way to
> differentiate between applications, or at least applications running in
> different security contexts.
>
> Vertigo wrote:
>> I would suggest passwords in seahorse are not
>> visible without re authentication of the user, but at the same time I would
>> use the password dialogue box to warn the user that despite this
>> authentication request, his passwords are NOT secure or encrypted as long as
>> he is logged in, and he should lock his screen and/or close the keyring to
>> avoid identity theft.
>
> Who does this reauthentication? Should seahorse lock and then try to
> unlock the keyring? Or is gnome-keyring supposed to somehow identify
> seahorse and treat it differently?
>
> Obviously anything done in seahorse would be of absolutely no
> consequence to any other password manager.
>
> Cheers,
>
> Stef

see its not a simple problem hopefully they see the wisdom of an interim solution, I'm going to try to reason it out with them as well.

Yeah Im getting it too as Im subscribed now.

FWIW I never claimed the technical implementation was easy (I got no clue), but thats no reason to trivialize the issue or ridicule a possible solution or pretend there is no issue because linux is perfect and its all the users' fault for not locking the screen.

Anyway Ill reply on the mailing list and perhaps repost it on the gnome-keyring mailing list if it turns out that is the better place to implement such a concept.

This was my response:

After a lot of reading I can see this is a real concern for gnome,
and a truly secure solution will require a lot of work. How you guys
decide to do that is way over my head. (though references to that
locked down piece of crap the iphone send chills.)
I can tell you this though Gnome's policy of education as a first
line of defense, while noble and probably the best solution. Has not
been implemented very well to this point. As an example I can tell you
I've been using gnome for four years and I just found out (after
participating in the debate on Ubuntu forms.) what seahorse is and how
it works.
I and a number of people believe that while confirming your password
to view passwords in seahorse is by no means secure or a permanent
fix. It will accomplish two things, one it will stop identity theft by
opportunists who have no real technical knowledge beyond point and
click. Two it would give Gnome an opportunity to educate the user on
best practices with security in a gnome environment.
Until we have a unified security solution I believe its imperative
that we do everything we can to meet the users expectations while
still adhering to the Gnome philosophy.

FYI: the reply to my mail, which you quoted, was CC'ed to the gnome-keyring mailinglist. you may want to subscribe there as well.

Thats the one I signed up to in the first place. not sure how I ended up there Truth be told I'm new to mailing lists, never had a need before now.

I applaud you both, P4man and snkiz, for taking a more active instance in this issue. As you already know, this is a not a security issue for me, but if it's for you, by all means keep talking to the developers. This is what community development is about. Much better than a "since this is obviously a bug, I won't discuss with the developers because they will eventually see the light" approach. I'll read the threads as well and hopefully everyone will be satisfied at the end.

This thread is a joke. I am sorry so many of you are uncomfortable keeping your computer in your own hands. Here is what I do with my computers.

laptop - lock screen when leaving or set to standby(close the computer) which also locks the screen. Someone comes and says hey can I use your computer... sure *click on guest*. Gf has her own account.

Desktop - lock screen when leaving or set to standby which also locks the screen. Someone comes and says hey can I use your computer... sure *click on guest*. Gf has her own account. When I am away and people use my computer, I leave an account sticky on the monitor.

BIG DEAL. I am really sorry many of you can not be masters of your own computer. If security really mattered to you, this wouldn't be that hard. Welcome to the world of linux, where we actually use the accounts unlike windows users.

/trolling

It's a matter of options, gnome-keyring giving you the option of saving certain passwords for convenience. Issues arise when people either explicitly tell a program it can save the password, or when a program just assumes that it can and does so silently.

I knew for years that pidgin saved passwords in clear-text, so I took the OPTION of not saving my account passwords. I understood it meant the inconvenience putting it in every time I started the app.

Almost every app I use that CAN save passwords, gnome-keyring or not, asks me at some point whether I want to save my password. Evolution, SSH in Nautilus, wireless network keys, firefox. It's an option I can choose not to use.

But now that Empathy is the default im app in 9.10, I thought I'd give it a whirl instead of pidgin. But I don't recall ever giving Empathy permission to save my passwords, but it keeps doing so. Maybe I did at some point, so my question is, how can I get it to stop? Other programs have easy preferences for clearing saved passwords, some box to uncheck, something, anything! But with Empathy I can't get it to stop remembering.

The other issue I see (at least according to the current design supporters) is that the focus is on a single machine with multiple users: each user has their own silo of very important data stored locally, and operations that could affect the other users are given more security hoops to jump through (requiring elevated privledges, etc).

And that's a good model, if all you do is run apps installed on your machine, keeps documents locally, and have very important files locally. Then Linux excels, with disk encryption, and sudo/root, etc. It's a good model for keeping the machine running and keeping the other users from being naughty with each other's stuff.

But this is crazy to me:

Is it really that hard to accept that yes, the user does have a part in maintaining the system's security. Compromising the security at larger scale yourself (your whole user account) and then complaining that the system doesn't protect some minor component (passwords stored inside that account) seems quite backwards to me.

Who on here is so important that the "whole user account" on their local machine is more important and the passwords stored inside that account are just "some minor component"? I'm sorry, but my online banking password, hell even my email password, is way more important IRL than any files I have on my computer.

I think for 90% of casual users, the files may have sentimental value at best. I know I would be pissed if someone messed with my "oh so precious files", but really, it's a localized issue. A good hard drive crash can ruin your files. You backup, or it's on you.

And for actual important documents, on or off the computer, people are responsible for their security. Means using encryption, or a locked filing cabinet. But again, it's on you. Really, anything that is important I take the time to store securely.

But I use a lot of services on and offline. Now I'm more careful than most (no apps save passwords, no password used twice, all long gibberish strings, all saved in keepass), but that's because I recognize that my accounts are what could really screw with my life. if someone else got a hold of them.

And the issue is that screw the local machine security, who cares if some hacker can steal my hard drive and get my files, as long as my actually precious passwords are as safe as possible, that's what I want out of a secure OS.

Steal my laptop, and I'll know right away to start making calls and putting blocks on things. Take my bank password, and you can go away from my local machine, and at your leisure, take my money and screw me up in real life, and I won't even know I've been compromised until you've got it all planned out.

No security is impossible to break, it's just a matter of time. So I want to raise the bar. To stop the guys with intent (the guy who hacks my system, runs an app or script while I forgot to lock my screen, or jacks my laptop), I use encryption, cause that's the best coverage I can hope for when my machine is that compromised.

The problem that the OP states I think is still a valid one, because even if I'm covered the best I can from bad guys with the intent to get my info, the bar for "lookie-loos" may be much lower, but it's not null. I don't care that this whole seahorse issue doesn't stop people with intent and know what they're doing, but right now it leaves the bar at null for when you forget to lock that screen, and any idiot can see what I've saved in the keyring (which is nothing, now that I know about it, but that's the issue, education).

I say that people need to be better educated on what assumptions and expectations linux makes (like that once you're logged in, it's you, so we won't hide the passwords you've saved in your keyring). Maybe it's to undo the obscurity that they're used to when coming from another OS.

And maybe that means being a little more explicit about telling users that when they check that box to save the password, that a person with intent, on your logged in box, can get those passwords in a snap.

But at no point should we have to say to the average user: "Netbook stolen (by pro theives or opportunists) yet locked: you're out $300 and any files you didn't encrypt (your fault, we made it easy in the installer), but you at least know about it, and can work to preserve yourself. Netbook left logged in an unattended for less than 30 seconds, and any idiot who can read the word 'password' and recognizes what a key looks like can have at your credit, your life savings, and all as a surprise to you in the future. Sorry we didn't explain to you what saving your passwords meant, but really, it's more secure that way, even if you can't pay your rent now."

(Yes, I recognize there are holes in what I've said, particularly regarding keyloggers and such, but at this point, I imagine this post has wandered for too long and no one's going to read it anyway.)

There's a lot being discussed in this thread, some of which seems to be going way off in a wild tangent.

First and foremost. Can another user see my passwords when I'm logged out?


Secondly. Will adding another prompt for a another password make the system that much more secure? Remember Windows Vistas constant nagging? Are we going down that road?


Thirdly. Will this new password prompt use the users existing account password or a new password for the Gnome Key Ring?

Security is important. Unfortunately security needs to be balanced with usability. At this point in time I would suggest not using the Gnome Key Ring app and just remember your user names and passwords for things like MSN and Yahoo Messenger. It really would be a lot safer. No matter how secure these password managers are. They're never going to be impenetrable.

It also seems to me that the level of security being asked for in this thread could be achieved by simply following what has long been considered best practice. Do things like locking the screen when you step away from the PC. It's such a simple thing to do.

Don't let other people use your account. Ubuntu supports multiple user accounts by virtue that it's a Linux based multi-user OS. Use it to it's potential. Create accounts for the other people that share the PC.

First and foremost. Can another user see my passwords when I'm logged out?
No, the password files have permissions set so they're completely exclusive to your user account.
And even if someone booted into the system with a LiveCD or otherwise got around the permissions - I believe the passwords are encrypted by your user account password, so they still won't be able to get into them.

Security is important. Unfortunately security needs to be balanced with usability. At this point in time I would suggest not using the Gnome Key Ring app and just remember your user names and passwords for things like MSN and Yahoo Messenger. It really would be a lot safer. No matter how secure these password managers are. They're never going to be impenetrable.
What does "secure" mean for a password manager? I believe it encrypts your passwords so they're only accessible when you're logged on. That's what secure is to me at least.

I guess to the topic creater, not being able to read the passwords out of it equals secure, but that's rubbish because the programs that use the keyring need to read the passwords out. That's the whole point of the password manager. Not giving a user interface to directly deal with the passwords is just silly obscurity, making users think they're more invulnerable than they really are.

It also seems to me that the level of security being asked for in this thread could be achieved by simply following what has long been considered best practice. Do things like locking the screen when you step away from the PC. It's such a simple thing to do.

Don't let other people use your account. Ubuntu supports multiple user accounts by virtue that it's a Linux based multi-user OS. Use it to it's potential. Create accounts for the other people that share the PC.
Exactly. Ubuntu can even be set to lock your screen automatically when the screensaver comes on. Ctrl+Alt+L is the quick key combo to lock your screen.

There's a lot being discussed in this thread, some of which seems to be going way off in a wild tangent.

First and foremost. Can another user see my passwords when I'm logged out?

No. No one claimed otherwise.


Secondly. Will adding another prompt for a another password make the system that much more secure? Remember Windows Vistas constant nagging? Are we going down that road?

define "much more secure". Against a skilled or motivated hacker? No, not at all. Will it help take away an open invitation for an opportunist college to steal your identity? Yes, I think so. I've railed against analogies, but to make one myself: a burglar alarm or locked front door doesnt protect against professional thieves, but that's hardly a reason to leave the front door unlocked and put your savings on the dinner table. A locked front door is no real security, but it decreases the likelyhood of an opportunity thief walking in.

Thirdly. Will this new password prompt use the users existing account password or a new password for the Gnome Key Ring?

How often do you view the clear text passwords in seahorse? Probably never. lets be generous and say once per month. Entering a password once per month extra compared to the fact most of us do it at leat 10x per day anyhow seems like a very small price to pay. Heck, I dont even see a real need for seahorse to display the passwords at all. If it lets you change them thats good enough.



Security is important. Unfortunately security needs to be balanced with usability. At this point in time I would suggest not using the Gnome Key Ring app and just remember your user names and passwords for things like MSN and Yahoo Messenger. It really would be a lot safer.

And how does that affect usability? Having to enter 2 or 3 passwords every boot or login vs once per month.

No matter how secure these password managers are. They're never going to be impenetrable.


As long as they dont pretend to be, thats fine by me. But if the best use of a password manager a la seahorse is to steal someone else's passwords rather than managing your own, I think something ought to change.

It also seems to me that the level of security being asked for in this thread could be achieved by simply following what has long been considered best practice. Do things like locking the screen when you step away from the PC. It's such a simple thing to do.

No its not. First of all, a bug in Karmic prevents me from locking my screen currently. But that aside, the usability trade off gets tremendously worse here since you are asking probably a dozen or more times per day to lock the screen manually and re enter your password when you get back. Im asking for once per month (if that much).

Now you may argue that not locking the screen still provides a window for the skilled hacker, and I agree, so lets educate the user to not rely on a password on seahorse to protect his identy, but lets lock that door anyhow.

Lastly the reality is sometimes you dont think of locking the screen, or you dont have the time as you react to something urgent or panic or you expect not to be away from your screen as long or far as you thought.

The weakest link in security is almost always the user and depending entirely on the user doing something no one does all the time is per definition bad security.

anyway we can argue this ad infinitum. Im just happy that the gnome developers seem to acknowledge this is indeed a problem and not just "user error". unfortunately a solution seems fairly difficult, but that is not a reason to trivialise the problem or blame the end user

I agree with P4man ^^^ completely. I don't have anything to add to this thread that hasn't already been mentioned. My opinion is known.

When my system is prompted from sleep or booted up, there is no desktop; there is only a password entry field and some options such as "leave message" "switch user". Maybe some settings need a look. Also, my system has a guest user option with very low permissions for when you may be suddenly asked to loan a look at something on the system called "guest session".

When my system is prompted from sleep or booted up, there is no desktop; there is only a password entry field and some options such as "leave message" "switch user". Maybe some settings need a look. Also, my system has a guest user option with very low permissions for when you may be suddenly asked to loan a look at something on the system called "guest session".

man 36 pages of posts and that is all you have to add? what are you 12?

man 36 pages of posts and that is all you have to add? what are you 12? It's a statement of fact, so that's all you can be critical of; that would make your post the pointless one...

Calm down guys; this thread has been mentioned in several blogs, Linux Magazine, and elsewhere. It is getting a lot of attention. Could we please keep this on topic?

From a usability perspective I can almost see why you would want another password there, however this is a misconception of the dynamics of the security practice that *nix based systems are based on and is an anxiety stemming from Windows' ad-hoc security approach based on a single-user environment. That is to say it's not in itself a bad idea to password seahorse, it's just that it's ineffective and useless at best and dangerous and mis-leading at worst.

In the single-user world everyone has access to the same base security structure, the same computer, the same hardware. So you put passwords on sensitive things so only the admin persona can access them. This is the Windows styled kind-of UAC approach..

In the multi-user world everyone is different. The user logged in is master of their own stuff, not other peoples. The keychain manager is invented so the user doesn't have to re-type their passwords and instead has a master password on the keychain manager itself to be able to access it. Everything (or most things) are encrypted. In this environment, not surprisingly, when you login to the operating system you also login to this keychain manager and unlock all your passwords so your applications can use them; wifi connector, email, etc etc.



So, with that in mind the reason seahorse shows the passwords is it simply reflects what your applications can see when you're authenticated (logged in). In other words when you're logged in your passwords are available. Now, if I'm a power user and my apps have access to my passwords, I do too. As the user I want to see what my apps can see at the very least and sometimes more. So if my keychain is unlocked because I've logged on I want to see the passwords my applications can see.

This is where it gets tricky, because I don't want other people to see them and steal them, but I don't want to type them in every time either. I think this is the crux of the argument that has developed in this thread.


What the coders/more computer savvy people here are saying is that it's pointless to put a password on seahorse because once you're logged in, any app has access to those passwords because you've already proved you're you. So to put a password on seahorse is not effective, simply because at the security level those passwords are still available to you and your applications.

The result of that is that you get asked for a password when admin-ing things but the guy who's stealing your passwords with a script doesn't (because you've already logged in). The by product is that the legitimate user has less explicit/visible access to their system than what the security allows for. That's inherently bad, as you want to keep the representation of security to the legitimate user the same as it is in actuality/availability.

I think it's telling that the seahorse developer said he's not reading the thread and put the link to the keychain philosophy. In my view, because it's an ignorant argument. By linking the philosophy he was saying if you understand this you will understand why it's an ignorant argument.

Once the environment is clear the real options in the *nix environment are also clear - (and have been mentioned); use another keychain for those passwords, type in all your passwords manually, or lock your computer.

When in rome... ..

seahorse shows the passwords is it simply reflects what your applications can see <snip> So if my keychain is unlocked because I've logged on I want to see the passwords my applications can see.

once you're logged in, any app has access to those passwords because you've already proved you're you. <snip> those passwords are still available to you and your applications.


I don't think (I am not sure) that all/any applications are allowed access to ALL passwords in the keyring. To get a password from the keyring, they need to ask for a specific resource; I don't believe there is any way to enumerate and access all stored passwords.

Again, I am not sure about this; if in fact, applications can access/enumerate ALL passwords in the keyring then this is a (IMHO) major security risk; while currently linux does not have malware, I don't believe that it is risk-free; it simply has not generated enough interest in the hacker/malware community. This will change, and linux will be just as badly (if not more) affected as windows; since current malware depends more on social engineering than hack-bypassing security restrictions. If such a malware application is developed, it can just store a password in the keyring to gain access to all a user's passwords. So, I doubt that applications have access to ALL passwords stored in a keyring.

Once again, this isn't about passwording Seahorse, nor the keyring, nor is it about a dedicated hack attack and how to protect yourself against such. It's been said before and it's largely true - if someone has physical access to your machine, you've lost.

This is about Seahorse NOT showing passwords in the first place, as P4man asserts above.

It's about making life difficult for an opportunistic over-the-shoulder situation, or when you've got your back turned from your (perhaps stupidly) unlocked machine.

I've relayed such to the relevant mailling lists. All this talk of ultimate security, hacking, loggers, or UAC is absolutely spurious.

This could be a simple fix and if done correctly, one that NO-ONE will notice, but that will render opportunistic threats much more difficult.

Neil.

An unlocked keyring does not imply that all applications will have access to all passwords. There are security controls to prevent this and access to keyring elements are protected on a per-application basis (remember the "Deny", Allow Once", " Always Allow" dialogue that pops up?). Access by applications can be controlled via the Applications tab for each keyring element.

The original poster and many others have (I believe correctly) pointed out an issue that needs addressing. Specifically the ease with which passwords are reveled to a casual user. It's clear that someone thought that casually revealing the passwords "in-the-clear" was a bad idea, hence the bullet obfuscation and the need to select "Show password" to expose the clear text password. A requirement to enter the keyring master password to show a clear text version of the stored password is a good idea here.

I will admit that when I first started reading this thread I thought to myself... "self, what does the OP expect... he/she unlocked the keyring at login - of course elements of the keyring will be available!". But within a few minutes of reading the responses, I came to the conclusion that other people (an initially I) were misunderstanding the issue here. The argument that unlocking the keyring "opens up" access by all applications is false and a total red-herring. The fact that elements of the keyring are blocked with application level ACLs tells us all we need to know about the intent of the keyring system. We are primarily talking about an authorization issue here, and only marginally an authentication issue. Simply put... If I have to explicitly authorize an application to access elements of my keyring then I also want to explicitly authorize (via an authentication password check) the clear text password being thrown out on to my display. Please, let's fix this issue and not give up clear text passwords to a casual browser so easily.

p.s. I normally limit my posts to launchpad debugging. I actually registered a forum account just to comment on this issue. Hopefully that gives the gnome-keyring and seahorse devs an idea of just how important this issue may be among the user base.

An unlocked keyring does not imply that all applications will have access to all passwords. There are security controls to prevent this and access to keyring elements are protected on a per-application basis (remember the "Deny", Allow Once", " Always Allow" dialogue that pops up?). Access by applications can be controlled via the Applications tab for each keyring element.


If I understand it correctly (and thats a mighty big IF), what you suggest is roughly whats being talked about on the gnome-keyring mailinglist today. Have a look here:

http://mail.gnome.org/archives/gnome-keyring-list/2009-November/msg00002.html

The reply by Stef (gnome keyring developer) hasnt made it to the website yet, but is here:

So what you're suggesting is to have the keyrings live in a daemon
running as root, essentially another security context, which then uses
policykit or gksudo for permisions? An interesting idea. Certainly
non-trivial, and needs a lot more thought, but interesting

At least the concept of having the keyrings live in another security
context is interesting. I haven't thought about this much, so I don't
know whether it would cause more problems than it would solve. But this
bears thinking about in the long term.

Cheers,


Anyway I would suggest you sign up for gnome-keyring mailing list and participate in the debate there, as its much more likely to yield any results than this thread.

Again, I am not sure about this; if in fact, applications can access/enumerate ALL passwords in the keyring then this is a (IMHO) major security risk; <snip>

Sorry I was generalising in my post. I was trying to explain why it occurs for those who weren't grasping it but I can see why it's mis-leading...

An unlocked keyring does not imply that all applications will have access to all passwords. <snip>

I will admit that when I first started reading this thread I thought to myself... "self, what does the OP expect... he/she unlocked the keyring at login - of course elements of the keyring will be available!". But within a few minutes of reading the responses, I came to the conclusion that other people (an initially I) were misunderstanding the issue here. The argument that unlocking the keyring "opens up" access by all applications is false and a total red-herring. The fact that elements of the keyring are blocked with application level ACLs tells us all we need to know about the intent of the keyring system. We are primarily talking about an authorization issue here, and only marginally an authentication issue. Simply put... If I have to explicitly authorize an application to access elements of my keyring then I also want to explicitly authorize (via an authentication password check) the clear text password being thrown out on to my display.
<snip>


... looks like I misunderstood too ^ the above makes the distinction clear - cheers.

bS

If I understand it correctly (and thats a mighty big IF), what you suggest is roughly whats being talked about on the gnome-keyring mailinglist today. Have a look here:

http://mail.gnome.org/archives/gnome-keyring-list/2009-November/msg00002.html

The reply by Stef (gnome keyring developer) hasnt made it to the website yet, but is here:


Anyway I would suggest you sign up for gnome-keyring mailing list and participate in the debate there, as its much more likely to yield any results than this thread.
Thats what I was trying to get across, but guess I couldn't explain my thoughts right. Ah well, they get it now thats what matters :) Go team squeaky wheel! \\:D/

My position on this issue is clear already: I don't consider it a security flaw and I don't care about it.

That said, I've been thinking... Who, among both complainers and defenders in this thread, uses Seahorse anyway? The more I think about it and analyse it, the more I see it as a power user tool. When the average user wants to manage a password, he intuitively goes to the application that uses it. A cool thing that Seahorse does is synchronizing remote keys, which is definitely something that average users are not very interested in.

I'm wondering if all this discussion would be solved if Seahorse simply wasn't installed by default, as is the case with a lot of power user tools.

Marc Deslauriers has blogged about this, annoyingly taking the side of the "lock your PC, there is no security issue" argument.

http://mdeslaur.blogspot.com/2009/11/gnome-keyring.html

P4man, thanks for posting that about Stef's reply - was going to do that myself. I think he's still making this issue too complex. All I'm asking is that since the app to change your password in "About me" asks you to re-authenticate before changing your password, Seahorse would benefit from the same mechanism before revealing your passwords.

I'm surprised that the people who argue this isn't an issue haven't logged a bug report about that app - after all, why is it asking me who I am before I change my password? What gives?? ;)

I'll reply to Stef when I get home tonight.

Cheers,
Neil.

All I'm asking is that since the app to change your password in "About me" asks you to re-authenticate before changing your password, Seahorse would benefit from the same mechanism before revealing your passwords.

I'm surprised that the people who argue this isn't an issue haven't logged a bug report about that app - after all, why is it asking me who I am before I change my password? What gives?? ;)

Logical fallacy.

"This isn't an issue" is not the same as "the opposite is an issue".

My position on this issue is clear already: I don't consider it a security flaw and I don't care about it.

That said, I've been thinking... Who, among both complainers and defenders in this thread, uses Seahorse anyway? The more I think about it and analyse it, the more I see it as a power user tool. When the average user wants to manage a password, he intuitively goes to the application that uses it. A cool thing that Seahorse does is synchronizing remote keys, which is definitely something that average users are not very interested in.

I'm wondering if all this discussion would be solved if Seahorse simply wasn't installed by default, as is the case with a lot of power user tools.

Not quite true - I'm pretty sure Gnome-do uses gnome-keyring for all it's google plug-in apps, so there's your gmail password again. All GVFS shares are stored there for sure, so anytime you type smb:\\servername\share into Nautilus, you're creating entries (assuming to choose to allow access) too.

Up to you if you want to call that "power user" material though.

Removing Seahorse from the default install would surely hurt the Seahorse developers though in terms of bugs found/fixed. I, for one, wouldn't particluarly mind though.

Not quite true - I'm pretty sure Gnome-do uses gnome-keyring for all it's google plug-in apps, so there's your gmail password again. All GVFS shares are stored there for sure, so anytime you type smb:\\servername\share into Nautilus, you're creating entries (assuming to choose to allow access) too.

Yes, those applications use gnome-keyring. But do they use Seahorse?

Triple post. Sorry, but each post is unrelated to the last.

I earlier posted that I was unhappy that Network Manager also uses gnome-keyring and as such Seahorse will show you my PEAP password for my work account, which obviously (due to the nature of PEAP) is my active directory password too.

You can kind of obfusticate this by asking Network Manager to make your PEAP protected wifi entry "available to all users". For some reason, Network Manager doesn't store these passwords in the users gnome-keyring (perhaps it creates a root keyring, which would make sense).

Sadly, Network Manager itself still insists on showing you the password if you ask it to. One hurdle down, one to go. I'm not a WICD fan, but I wonder if it has the same issue?

Yes, those applications use gnome-keyring. But do they use Seahorse?

See for yourself - anything stored in gnome-keyring, is, I think, available in Seahorse. All my gnome-do and gvfs shares show up for sure. Plus, my wifi accounts that aren't set to "available to all users".

My understanding is that Seahorse is a graphical tool for manipulating the gnome-keyring. I'm not sure that you can store anything in gnome-keyring that doesn't show up.

The "available to all users" thing is stored in another keyring.

I think that's what Stef was getting at in P4man's post above?

I wouldnt miss it (seahorse that is). Ive used it twice I think over the last years, to change or reset my keyring pw. But I think people using autologin or thinkfinger might miss it. And its odd to have apps ask permission and store passwords but not having a way to revoke those permissions. Also at the very least there ought be an alternative to change the keyring password without installing anything extra.

My understanding is that Seahorse is a graphical tool for manipulating the gnome-keyring.

Exactly. As far as I know, it isn't more needed for the keyring to work than Nautilus is needed for the filesystem to work.

I got curious enough to set up a poll (http://ubuntuforums.org/showthread.php?t=1314284).

Good explanation here. http://mdeslaur.blogspot.com/2009/11/gnome-keyring.html

Good explanation here. http://mdeslaur.blogspot.com/2009/11/gnome-keyring.html

same arguments that we hear everywhere else, I can hear it a million times I will still not change my opinion. The argument is still based on the IMHO flawed argument that only a locked desktop is truly secure, and therefore anything else is pointless, I agree with the first, not the latter because we dont live in a perfect world where everybody can and does lock his desktop 50x per day, and the chance of someone downloading a "gnome keyring password stealer app" and running it on an unlocked desktop seems at least an order of magnitude less likely than someone running a default installed app to obtain those same passwords.

I guess it boils down to this: If you cant have perfect security, is there such a thing as smaller or greater risk? I think there is, others apparently dont. (I wonder if those same ppl shut down their machines on every report of a possible security vulnerability)...

Good explanation here. http://mdeslaur.blogspot.com/2009/11/gnome-keyring.html

Thanks Future, except that it's the same post I linked to in reply 367 and I don't agree that it's a good explanation... no wonder this thread's over 350 posts now. I must account for about 30 of them.

Thanks Future, except that it's the same post I linked to in reply 367 and I don't agree that it's a good explanation... no wonder this thread's over 350 posts now. I must account for about 30 of them.

Sorry, this thread is too long for me to read the entire thing.

Sorry, this thread is too long for me to read the entire thing.
so you can't be bothered to skim the thread to see if someone has said what you want to say. But you'll scour the web for links to backup your opinion? And that's why this thread is so frikin long.

so you can't be bothered to skim the thread to see if someone has said what you want to say. But you'll scour the web for links to backup your opinion? And that's why this thread is so frikin long.

I said it was too long for me to read the entire thing, I never said I didn't skim any of it over. Anyways, apparently this thread has turned into attacking people because of their views. I'm done with this thread.

I wouldn't take it personally, Future, always seems to happen when threads get this big. The same is said over and over by so many people, frustrations boil over. If there's any updates on the dev mailling list, I'm sure P4man or myself (or anyone else following the list) will update here.

Or follow it yourself via the archive :
http://mail.gnome.org/archives/seahorse-list/2009-November/thread.html

Neil.

This thread is ridiculously long! And no - I haven't read all 39 pages but only about 25 of them and I get a flavour of the opinions being expressed. All of it makes sense. Some of it is just geeks showing off too. (I can break any password that you can create! etc. etc.) But I think I mentioned about 35 pages ago that the Firefox solution would solve the problem for 99% of us. I'm sure that it isn't completely secure, but asking for the password before revealing the passwords in clear text is not very much to ask - is it?? Please?

Oh still being discussed!
Although I'm glad this issue has been acknowledged by some developers.

This is true, I don't like or have ever realized this, I solved a problem with a simple solution: I went to Edit Menus, and added gksu -u <Username> seahorse, this stops anyone from entering the GUI way, but the fact that this (seahorse) can still be ran from any terminal still bothers me.

This is true, I don't like or have ever realized this, I solved a problem with a simple solution: I went to Edit Menus, and added gksu -u <Username> seahorse, this stops anyone from entering the GUI way, but the fact that this (seahorse) can still be ran from any terminal still bothers me.
If it bothers you that much,
sudo apt-get remove seahorse

Don't do that, you'll remove the ubuntu-desktop package too doing that.

And even if you could remove it without removing the ubuntu-desktop package, that (rightly) still doesn't stop someone from downloading the seahorse package and running the binary manually -- which can be done in a single line in a terminal (safe to run to test, only writes to a temp folder):
cd `mktemp -d` && wget "http://mirrors.kernel.org/ubuntu/pool/main/s/seahorse/seahorse_2.28.1-0ubuntu1_$(if [ "`arch`" = "x86_64" ]; then echo "amd64"; elif [ "`arch`" = "x86" ]; then echo "i386"; fi).deb" && ar xv seahorse*.deb && tar -xvzf data.tar.gz && usr/bin/seahorse
Edit: Never mind, above requires a few of the package files to be already strewn about on the system, so the above will only work if 'seahorse' is installed already (guess it could be useful if someone only removed the seahorse binary).

It doesn't bother me THAT much, I mean not a lot of people are Linux savvy enough to think about it, much less my friends or anyone that I know of, but still you know, its there in the back of your head, staring at you..., always... :shock: :P

If it bothers you that much,
sudo apt-get remove seahorse

Well since the discussion on the subject is pretty much dead and the Seahorse devs aren't taking on the idea of a password before showing your passwords in cleartext, that's exactly what I did.

Ubuntu desktop is just a meta package. It's only mainly useful during the dev cycle to add/remove packages in a consistent fashion. No real risks in removing it.

I'll maybe try again on the Seahorse dev mailing list (I'm still subscribed - it's a quiet list) during Lucid, but being honest, I'm a little Ubuntu'd out at the moment. It's been a disappointing cycle in terms of my personal experience with Karmic and I'll need to recharge the batteries before partaking in a rant-thread like this one again!

Don't do that, you'll remove the ubuntu-desktop package too doing that.

As scaine said, there's no harm in removing the ubuntu-desktop package. You can install it again later if you really need it. I'd check that "apt-get autoremove" didn't want to remove anything useful though. If it does you can just "apt-get install" whatever apt wants to remove.

Am I paranoid or is this entire thread mostly the same person generating conversation? It's mostly meaningless babble and the posts between the 4-5 users seem to be at the same time.

I'd love to make my sudo password different than my login
There should be pam settings.
AFAIK via /etc/pam.d/sudo it should be possible to change the way authentication works for sudo only - hopefully somebody else can give some details.

There should be pam settings.
AFAIK via /etc/pam.d/sudo it should be possible to change the way authentication works for sudo only - hopefully somebody else can give some details.

Really? Curious how you came by this info, that file is pretty bare. Got my attention :shock: Maybe a new thread to express your thoughts?

Really? Curious how you came by this info, that file is pretty bare. Got my attention :shock: Maybe a new thread to express your thoughts?

To configure sudo , see http://www.gratisoft.us/sudo/man/sudoers.html

You may be interested i nseveral of the options, including

rootpw and targetpw


You will need to decide for yourself the security implications of setting a root pw.

Personally, when I do this, I set root's shell to /bin/false. Take care not to lock yourself out ;)

I had a feeling you would have to enable the root account in some way to get the different password. I never really looked into that option much, because of the whole root account is BAD thing. Doesn't setting the environment to /bin/false prevent a user from running commands though?

Doesn't setting the environment to /bin/false prevent a user from running commands though?

No, it does not, it prevents the user from loging in or automatically starting a shell with sudo -i.

you may still sudo <insert command here>

including sudo bash, lol

including sudo bash, lol
Thats a little silly, but hey I've ssh'd into another user on my desktop before so why not.

Aside form locking yourself out, are there other issues? For example could you still get in under recovery/single-user mode?

Thats a little silly, but hey I've ssh'd into another user on my desktop before so why not.

Aside form locking yourself out, are there other issues? For example could you still get in under recovery/single-user mode?

Well, again in recovery mode you would need to specify /bin/bash, but I have not tried it, so yes, you might well lock out recovery mode.

It remains much, much simpler to un-install Seahorse. For the once a year I might find myself wanting to use Seahorse, I can always install it again briefly.

Evening all. Thought I'd resurrect this thread (which I notice has now been renamed - thank goodness), since there's been a new version of Seahorse released in the last day or so which might well fix this issue.

http://mail.gnome.org/archives/seahorse-list/2010-February/msg00005.html

Quote :
Details between 2.29.90 and 2.29.91:
==================================

* Change default key lengths for subkey generation. [Adam Schreiber]
* Remove unused variables [Pablo Castellano]
* Revoking subkey now works again. Also minor documentation
changes. [Pablo Castellano]
* Don't show the passphrase in plaintext. [Pablo Castellano]
* Check the OpenPGP engine only [nobled]
* Fixed wrong variable names in comments [Pablo Castellano]
* Clean up version constants [nobled]
* Fixed two warnings at compile time [Pablo Castellano]
* Unescape URI's before presenting them to the user. [Adam Schreiber]
* Updated year in the copyright string of the about dialog [Pablo
Castellano]
* Fixed incorrect signal name [Pablo Castellano]
* Fixed bug in the public key properties GUI. [Pablo Castellano]
I'm not running Lucid yet, but if anyone is, can you do a quick Help/About and if you're running this version, see if it fixes what started this whole thread in the first place.

(In case you've forgotten, it was about the fact that when you go to the "passwords" tab in Seahorse, you can view any unlocked "login" passwords in plaintext without being prompted for your password.)

Well almost 400 posts and about dozen people attacking the seahore mailing list got a simple problem fixed! yea us! I have to wonder though why this wasn't fixed at distro level then passed upstream. Heaven forbid we question our gnome overlords I guess.

EDIT:
Wow that was a little snippy. Sorry all just a little bitter.

Well almost 400 posts and about dozen people attacking the seahore mailing list got a simple problem fixed! yea us! I have to wonder though why this wasn't fixed at distro level then passed upstream. Heaven forbid we question our gnome overlords I guess.

EDIT:
Wow that was a little snippy. Sorry all just a little bitter.

Probably because there wasn't a clear consensus on how it should be fixed or if it should be fixed at all. Let the Seahorse devs decide the best way to handle it. Otherwise you're wasting your time trying to implement something that might not be acceptable by upstream.

Probably because there wasn't a clear consensus on how it should be fixed or if it should be fixed at all. Let the Seahorse devs decide the best way to handle it. Otherwise you're wasting your time trying to implement something that might not be acceptable by upstream.

+1 I was about to draft a similar response.

Trying to teach the world to lock their computers by making their passwords clearly visible is an inappropriate viewpoint for an operating system developer to take. They should be more concerned about Ubuntu being a secure platform than trying to lock the world's computers, especially considering the fact that average Linux users are far more security conscious than average Windows users in the first place. You're preaching to the choir.

Not every situation calls for advanced security. What if I want to let a family member use my laptop for an hour or two to see if they want to try Ubuntu on their computer? I shouldn't have to wonder if they might be nosy enough to click on Passwords and Encryption Keys in the menu and look at my passwords. They simply shouldn't be able to do it. You can't even change your network settings or install updates without sudo stepping in, so why should my secrets be a few nosy clicks away?

And keep in mind that security is not a black-and-white issue. It's not either you have security, or you don't; Security comes in varying levels in all instances. I feel that with my secrets being readily available from the menu, the bar is a little low for my taste.

There are several relatively simple ways to handle this, and please also keep in mind that "you should lock your computer anyway" is not an end-all argument against having reasonable security on an unlocked computer. Should Ubuntu allow root priviledges for any action automatically after a user is logged in? Why don't we just do away with sudo completely since if you lock your computer, nobody can screw with it? ... I doubt you would agree with that.

1.) Each individual keyring could have an option to automatically lock after X minutes of being unlocked. Then you could have two or three keyrings with varying levels of security. Maybe network and Empathy secrets could stay unlocked, but more sensitive or infrequently-used items lock again after 15 minutes. If it's a reasonable security measure for sudo, it's a reasonable security measure for seahorse.

2.) Automatically lock all keyrings when seahorse is opened. Then you don't have the hassle of repeatedly unlocking keyrings, but no one can just wander into the accessories menu and look at them.

3.) Require sudo to open seahorse. Or just lock the console when opening seahorse. Require the user's logon password to open seahorse by whatever means are available. That will be just as much a deterrent as access to any other part of the system.

Not every situation calls for advanced security. What if I want to let a family member use my laptop for an hour or two to see if they want to try Ubuntu on their computer? I shouldn't have to wonder if they might be nosy enough to click on Passwords and Encryption Keys in the menu and look at my passwords. They simply shouldn't be able to do it. You can't even change your network settings or install updates without sudo stepping in, so why should my secrets be a few nosy clicks away?



That's what the guest session is for.

i think the best way to solve this would be the exactly the same way as the other privileges are handled, for example if i change CPU frequency i get some key-icon in my tray saying i still have privileges and just clicking that icon will drop them.

sudo chmod o-x /usr/bin/seahorse


In alacarte, edit the seahorse entry and preface the command with sudo. (not gksudo)


Also, I thought this discussion had long died out. Meh...

sudo chmod o-x /usr/bin/seahorse


In alacarte, edit the seahorse entry and preface the command with sudo. (not gksudo)


Also, I thought this discussion had long died out. Meh...

The problem doesn't exist anymore, in Maverick and newer.

Well excellent then. :) Please disregard my previous post.

I'm running a fully updated system (10.10) and I can still sea passwords in seahorse in plain text (without being asked to re-enter my user password or any other passwords). I thought people said it had been 'fixed'. Am I just waiting for something to filter down to end-user level? When might I expect it?

I'm running a fairly fresh Natty install on three different systems, On one I don't see any passwords, on the system I'm on right now, It doesn't show my login password, but it does show passwords for pdf's and forum logins. It seems to only list saved passwords. On the system that doesn't show any passwords, I don't have any saved passwords.

I'm running a fairly fresh Natty install on three different systems, On one I don't see any passwords, on the system I'm on right now, It doesn't show my login password, but it does show passwords for pdf's and forum logins. It seems to only list saved passwords. On the system that doesn't show any passwords, I don't have any saved passwords.
So it sounds like the 'old' behaviour. I don't believe it ever showed your login password, just saved passwords for forums etc.

I was just interested because a few people said this behaviour had changed, which it clearly hasn't for the end user. But maybe it has upstream somewhere.