After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 725641 - When unlocking keyrings, seahorse should remember choice for "Automatically unlock this keyring"
When unlocking keyrings, seahorse should remember choice for "Automatically u...
Status: RESOLVED OBSOLETE
Product: seahorse
Classification: Applications
Component: general
3.10.x
Other Linux
: Normal normal
: ---
Assigned To: Seahorse Maintainer
Seahorse Maintainer
Depends on:
Blocks:
 
 
Reported: 2014-03-04 06:40 UTC by blub
Modified: 2018-08-03 19:36 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
preselection-removed (1.42 KB, patch)
2016-02-01 22:58 UTC, Atul Anand 		none Details | Review

Description blub 2014-03-04 06:40:04 UTC 
If you have several keyrings and you do not want to unlock all of them after login (say, one for your banking information) you can manually unlock keyrings in seahorse.

Everytime you do so, you are promted with the password and a checkbox "Automatically unlock this keyring whenever I'm logged in". This checkbox should remember your choice, so you don't always have to uncheck it. Or even easier: it should be unchecked by default.

Forgetting to uncheck the box may lead to the decryption of sensitive data everytime you login.

This bug has also been filed for nautilus (mounting of hard drives) and has been fixed for a while now using a simple dconf entry.
Comment 1 Elias Toivanen 2015-06-07 20:06:26 UTC 
This bug is still present. I'd love to see it fixed.
Comment 2 freddi34 2016-01-26 17:22:49 UTC 
A critical aspect of this bug has not yet emphasized:

The checkbox is always **preselected**, which means the security of the keyring will always be reduced (by turning it from manually to automatically unlocked) without any intervention by the user. For example you forget to uncheck and hit enter. The supposed behavior should always be that changing a setting should require a user intervention (setting the checkmark) not vice-versa.

Thus the current behavior is the opposite of "security by default".
Comment 3 Atul Anand 2016-02-01 22:58:20 UTC 
Created attachment 320238 [details] [review]
preselection-removed
Comment 4 Atul Anand 2016-02-01 23:06:39 UTC 
Added a patch that disables the preselection of checkbox "Automatically 
unlock this keyring whenever I'm logged in "  when unlocking 
a keyring which will prevent the automatic unlocking functionality
to setup for a keyring when user mistakely hits enter without unchecking
the checkbox.
The patch is applicable to Gnome-keyring source.
Kindly review.
Regards,
Atul.
Comment 5 freddi34 2016-12-21 12:06:41 UTC 
I confirm that the patch works (after installation and re-login), and urge to review, accept and push it into distros as soon as possible. Thank you!
Comment 6 freddi34 2017-05-27 09:32:08 UTC 
Request for reviewing Atul Anand's patch.

This security issue is still a problem in seahorse 3.20.0-3.1 (Ubuntu Gnome 17.04). I have to apply the patch again because the repos don't contain the fix.

Thank you once again for the patch, and thanks in advance for acceptance!
Comment 7 Ankur deDev 2018-01-31 08:40:13 UTC 
Would be great to see this pushed!
Thanks
Comment 8 GNOME Infrastructure Team 2018-08-03 19:36:48 UTC 
-- GitLab Migration Automatic Message --

This bug has been migrated to GNOME's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.gnome.org/GNOME/seahorse/issues/101.