Why is it that when I go to Applications > Accessories > Passwords and Encryption Keys I can click on Passwords, then expand 'login' and then I can see my passwords for my MSN account and wireless networks I connect to without once being prompted for my user password? But then when I change CPU Frequency scaling, I'm prompted to enter my admin password? O.o How to reproduce: 1. Restart your computer and login. Do not enter any passwords after your desktop has loaded. 2. Go to Applications > Accessories > Passwords and Encryption Keyrings 3. Click on the 'Login' folder to drop down and view the programs that store data here. 4. Double click on something you want to look at. 5. Click Password to show some dots, then uncheck the box below the dots marked "Show password" 6. Note that throughout this whole procedure, not once were you prompted* to enter in anything that verifies you are authorized to view this information. *The only prompt is asking if it's allowed access to the keyring, to which anyone can click allow. Links all in one place: Bug report filed on Launchpad OMG! UBUNTU! Blog Post Gnome-keyring mailing list Gnome Keyring Security Philosophy Ubuntu Brainstorm Idea -------
Last edited by humphreybc; October 29th, 2009 at 04:43 AM.
Writer for OMG! Ubuntu!, Editor-in-Chief Ubuntu Gamer. Co-founder of media and software company Ohso.
Because you already entered your password once? Lock your screen when you leave your computer if you don't want others to see this information...
gksu and sudo have the 15 minute period where you don't have to type in a password for administrative tasks
Jaunty bootchart Karmic bootchart karmic bootchart thread Brainstorm - Ubuntu clustering
Originally Posted by renkinjutsu gksu and sudo have the 15 minute period where you don't have to type in a password for administrative tasks Is it that long? That's too long for my tastes. I'm gonna change my sudoers file.
Originally Posted by TrueJournals Because you already entered your password once? Lock your screen when you leave your computer if you don't want others to see this information... It does seem odd to me that you're not required to enter your password again here. I realize that this is not being done as a superuser and that's probably why, but perhaps viewing the password should require you to re-enter your user password. It doesn't seem like a good idea to allow anyone to view your entered passwords for things like email acounts and whatnot unless you lock your screen or logout.
Regardless, this is something that requires physical access, which is the biggest security whole in the first place. Why would you lave your computer without locking your screen if you're worried about security?
Originally Posted by TrueJournals Regardless, this is something that requires physical access, which is the biggest security whole in the first place. Why would you lave your computer without locking your screen if you're worried about security? Both true and irrelevant. It's reasonable to wonder why passwords for things other than your local computer can be viewed in clear text without entering a password. Even Windows doesn't allow that.
Originally Posted by humphreybc Why is it that when I go to Applications > Accessories > Passwords and Encryption Keys I can click on Passwords, then expand 'login' and then I can see my passwords for my MSN account and wireless networks I connect to without once being prompted for my user password? But then when I change CPU Frequency scaling, I'm prompted to enter my admin password? O.o *The only prompt is asking if it's allowed access to the keyring, to which anyone can click allow. It's Your computer,isn't it? I am sure that if you are concerned about your personal information,your not going to leave your machine lying around,powered up,with your keyring open.
Last edited by sliketymo; October 27th, 2009 at 06:30 AM. Reason: spelling
All valid points, but, regardless of individual situations I still think that you should not be able to view important passwords without first validating that you are indeed the owner of the accounts they belong to.
Originally Posted by humphreybc Why is it that when I go to Applications > Accessories > Passwords and Encryption Keys I can click on Passwords, then expand 'login' and then I can see my passwords for my MSN account and wireless networks I connect to without once being prompted for my user password? This is big; you should file a bug report, I guess. No matter what the justifications offered, your keyring passwords should not be opened with prompting for a password. (I don't even get the prompt to allow the keyring to be opened).
Cheers,PRShah Make your own: Ubuntu, Kubuntu, Xubuntu, Mythbuntu All-in-One Live DVD "I never make mistakes; I thought I did, once.. but I was wrong."
Ubuntu Forums Code of Conduct