Re: cleaning up keyrings

From: Stef Walter <stef-list memberwebs com>
To: Bryan Clark <bclark redhat com>
Cc: David Zeuthen <david fubar dk>, Havoc Pennington <hp redhat com>, desktop-devel-list gnome org
Subject: Re: cleaning up keyrings
Date: Wed, 29 Aug 2007 16:30:33 +0000 (UTC)

Bryan Clark wrote:
> Can an application that stores a secret be able to retrieve that same secret
> without unlocking the keyring?

Yes for sure.

> I never really understand why NetworkManager, the one who put certain
> secrets into my keyring needs to ask my permission to get those secrets
> back.  Sure those secrets are "my passwords", but I already gave them to NM
> once, why does it need to ask to get them again?  If it wasn't a good idea
> to give those passwords to NM the first time, it's too late because it
> already has them.

Odd, it shouldn't do that. I've never seen it do the ACL prompt for the
application that stored the secret. However with previous versions of
GNOME (previous to 2.20) it did need to prompt for a passphrase once per
session in order to unlock the keyring. This nonsense has now been solved:

http://live.gnome.org/GnomeKeyring/Pam

> Even though the keyring is locked, it seems like the application that set
> the secret should be able to retrieve it.  I don't know how you want to make
> sure it's the same calling application, there might be some tricks in that.
> But this would reduce the number of login / access the keyring dialogs.

Yes, this is already the case. When a new secret is stored, an ACL is
automatically added to that item for the application that stored it. If
the originating application accesses that item, then no prompt should
ever be issued.

If you see a prompt in a certain case, then it's definitely a bug.

> One key to having better security is to not cry wolf to our user all the
> time.  In reality, even without crying wolf they are going to click through
> whatever dialogs we bring up so we might as well work with the mindset in
> our designs to not bring up the dialogs at all.  They'll likely be some
> exceptions where we feel a dialog is necessary, however each dialog really
> means we've failed at being secure and passed the buck on to our users.

For sure. And the access prompts that occur when one application
accesses another applications secrets (usually legitimately) are very
dumb from the perspective of the user.

This is a hard problem, as David pointed out. In fact our current
'prompting' solution only really works for C applications (with their
own unique executable path), so I would call it fundamentally broken.

http://bugzilla.gnome.org/show_bug.cgi?id=342144

Cheers,
Stef Walter

References:
- cleaning up keyrings
  - From: Havoc Pennington
- Re: cleaning up keyrings
  - From: David Zeuthen
- Re: cleaning up keyrings
  - From: Bryan Clark

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]