GNOME Bugzilla – Bug 527361
keyring ask dialog should grab the screen like gksudo does
Last modified: 2011-06-18 07:44:14 UTC
Please describe the problem: Well I just logged into gnome. Like always keyring ask dialog asked me for the password to unlock the keyring. Like always I typed it in and pressed enter. What i didn't notice was that in the background a gajim message window opened (someone messaged me obviously) and stole the focus of the ask dialog, but didn't put itself in front of it. So it looked like the ask dialog still had the focus but i actually typed my password into the message window and sent it through the internet to some stranger who messaged me. That is a huge security hazard. An easy way to fix this would be for the ask dialog to force grabbing the screen like gksudo can, or at least there should be an option and i strongly suggest to enable it by default, so that users won't have to make up weird excuses to explain why one just said some weird word to a person who messaged you... Steps to reproduce: 1. log in 2. wait for the keyring ask dialog 3. wait for someone to message you and start typing....well, actually you shouldn't type your real password ;) 4. press enter 5. make up some excuse 6. look for a new password and hope that this won't happen again.... Actual results: Expected results: I'd expect the keyring ask dialog to grab the screen. Does this happen every time? ya, of course Other information:
Which version are you using? We put in a bunch of effort to make sure this doesn't happen in 2.22, but maybe it doesn't work in your exact use case, in which case I'll look into it further.
I was, and still am, using 2.22. I found out that compiz' focus stealing prevention is to blame. By default it set to 'low' and in that state it allows a window to grab focus without coming to front. So basically the gajim message window got the focus but compiz didn't bother putting it in front of any other window. Setting focus stealing prevention to 'off' does solve the problem. Any window getting the focus pops up. Still it would be much safer making the keyring ask dialog grabbing the screen like gksu(do) does (maybe it's not quiet clear what I'm talking about: What I mean is, if you start something with gksu(do) you get a fullscreen window which lays on top of everything (this grey veil) and in the middle you have the dialog asking for your password.). I've tried to focus another window while gksu(do) grabed the screen, one simply can't. So I'd suggest doing the same thing gksu(do) does so this can not happen again under any circumstance (not even a misconfigured (by default) compiz).
This is back in GNOME 3. With Fedora 15 more-or-less final package set, when I boot with auto-login, other windows take focus from the gnome-keyring passphrase entry dialog. It should probably be one of those neat GNOME 3 you-can't-do-anything-else-till-you've-typed-in-this dialogs, like the one virt-manager pops up to ask you for the root password.
Adam. That's right. I'm working on that here in bug #652459. So I'll close this bug, since this will be taken care of once we have this integrated properly into the shell. *** This bug has been marked as a duplicate of bug 652459 ***