Quad Shot of Ubuntu
In 11.10, when you go to Passwords and Keys the default setting allows you to access passwords.
I would think by default you should be prompted for your password when opening Passwords and Keys. If I let a friend on my computer they could go straight to Passwords and Keys to access my passwords.
This seems like a security risk to me. Am I right or am I missing something?
|
Ubuntu Member
You could let your friend use a "guest" account instead of your account. I believe it's limited and wouldn't be able to see the passwords & keys (but you should check to be certain).
Quad Shot of Ubuntu
Using the Guest account is an option to avoid this issue, but that is not my point.
This is a security risk! Anybody stepping away from their computer for a minute is vulnerable. Somebody can access your passwords in under a minute! You should be prompted for your password first.
This is a serious security risk unless I am missing something.
|
Ubuntu Member
This discussion has actually come up several times. See this thread for details
http://ubuntuforums.org/showthread.php?t=1931670
But the crux of the matter is physical access is root access.
Systems Samurai
the security issue is you letting someone use your account or not securing your machine when away from it.Originally Posted by spikoley
Physical access is root access
This is all security basics and common sense
Cheers
Backtrack - Giving machine guns to monkeys since 2006
Kali-Linux - Adding a grenade launcher to the machine guns since 2013
Quad Shot of Ubuntu
That is a different issue. I would agree with you if this issue was the same as the one in the link.
Then why even have sudo? That line of think is an argument against sudo. This is a sudo issue.
Do you think having a lock on User Accounts is a bad idea? Currently when you go into User Accounts it requires a password to unlock it. This issue is exactly the same. My argument is Passwords and Keys should be treated the same as User Accounts when it comes to security.
Last edited by spikoley; March 18th, 2012 at 11:15 PM.
|
Ubuntu Member
If it's a serious security risk then you have the option to: 1) log out, 2) hibernate/suspend and require a password to resume. 3) Let a friend use guest and he won't have access to password files.
When you're logged into your machine and you simply walk away leaving it running, I don't understand how you could secure the entire system- not just the password file.
Quad Shot of Ubuntu
Then why have a lock on User Accounts? It makes no sense to have a lock on User Accounts and not Passwords and Keys. Shouldn't Ubuntu at least be consistent on how it treats similar applications?
|
Systems Samurai
it is not Ubuntu's application.
it is seahorse/GNU privacy guard
and if you give your car keys to your friend and they crash your car is it then the car manufacturers fault that the car was allowed to be driven by the person with the keys ? or yours for giving the keys to someone ?
Physical access is root access.
Do you want a password prompt for every action ? or are you happy to allow your friend to access your documents, spreadsheets, emails but just not your passwords ? after all why do they need your passwords ? you have given them access to everything anyways
Peace
Backtrack - Giving machine guns to monkeys since 2006
Kali-Linux - Adding a grenade launcher to the machine guns since 2013
Quad Shot of Ubuntu
So why have sudo or a lock on any application? I've always thought it was there for security.
|
Posting Permissions
Adv Reply
Bookmarks