Ubuntu
lightdm package

Firefox Should Not Prompt for Password Save in Guest Session

Bug #290507 reported by mlissner
272
This bug affects 2 people
Affects Status Importance Assigned to Milestone
lightdm (Ubuntu)
Triaged
Wishlist
Unassigned

Bug Description

Binary package hint: ubuntu-desktop

When using the guest session in Intrepid, Firefox prompts users if they want to save their passwords on websites. This is a problem for two reasons:
1. The passwords are only saved for that session (this is good, though a different impression is given by the offer to save passwords)
2. Alice logs in as a guest, saves a password in firefox, and then switches the session to Bob without logging out. Then Bob lets Joseph use the guest session by switching him to it, Joseph has access to the password that Alice saved previously.

Tags: saucy
Revision history for this message
Joachim Hansen (sn3ipen) wrote :

That 's not realy a prblem because Alice should not save the password on Bob's computer in The first place.

Revision history for this message
mlissner (mlissner-michaeljaylissner) wrote :

True, but you know how Alice is about being a predictable, logical, and intelligent user.

Revision history for this message
Colin Watson (cjwatson) wrote :

Reassigning to gdm-guest-session, though it may need help from Firefox to implement this.

Jamie Strandboge (jdstrand)
Changed in gdm-guest-session:
status: New → Confirmed
Marc Deslauriers (mdeslaur)
Changed in gdm-guest-session (Ubuntu):
importance: Undecided → Wishlist
Revision history for this message
Martin Pitt (pitti) wrote :

Admittedly this is a very contrived argument. With the same logic, you could also forbid Alice to write _any_ file at all, or even better, disallow everyone to create file, since they might otherwise upload them to a public website or borrow their computer to other people.

If you carelessly leave private stuff on other computers, this is an entirely social problem, I don't think that there's a good technical answer for this. Firefox even asks you whether it stores the password. No sane person would give their credit card to a random stranger on the street and then walk away. If people do the same with computers, then we have an education problem, not a guest session bug. :-)

Alex, is it even possible to do that, such as providing some firefox default settings in guest's firefox profile? If that is too hard, nevermind.

Changed in gdm-guest-session (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
Alexander Sack (asac) wrote : Re: [Bug 290507] Re: Firefox Should Not Prompt for Password Save in Guest Session

On Thu, Apr 23, 2009 at 02:06:48PM -0000, Martin Pitt wrote:
> Admittedly this is a very contrived argument. With the same logic, you
> could also forbid Alice to write _any_ file at all, or even better,
> disallow everyone to create file, since they might otherwise upload them
> to a public website or borrow their computer to other people.
>
> If you carelessly leave private stuff on other computers, this is an
> entirely social problem, I don't think that there's a good technical
> answer for this. Firefox even asks you whether it stores the password.
> No sane person would give their credit card to a random stranger on the
> street and then walk away. If people do the same with computers, then we
> have an education problem, not a guest session bug. :-)
>
> Alex, is it even possible to do that, such as providing some firefox
> default settings in guest's firefox profile? If that is too hard,
> nevermind.
>

If its somehow possible to determine that ffox is in guest session, it
would probably be possible to default firefox to "ask for removal of
private" data ...; making this dependent on some env variable would be
non-trivial though; if its possible to copy a default profile on guest
session initialization (or guest session user account setup) that
would probably work.

 - Alexander

Kees Cook (kees)
Changed in gdm-guest-session (Ubuntu):
status: Incomplete → Triaged
Revision history for this message
Gunnar Hjalmarsson (gunnarhj) wrote :

Considering the temporary nature of a guest session, it's contradictory IMO if Firefox keeps prompting about remembering passwords.

Please check out http://ubuntuforums.org/showthread.php?t=1566078
In the tarball file that is attached to that tutorial you find code for setting Firefox preferences in a guest session.

Adolfo Jayme Barrientos (fitojb)
affects: gdm-guest-session (Ubuntu) → firefox (Ubuntu)
Revision history for this message
Gunnar Hjalmarsson (gunnarhj) wrote :

There are more preferences - not only with respect to the web browser - whose defaults should differ in a guest session compared to an ordinary session. Changing respective application for that reason would make little sense. In this particular case it can easily be done by modifying the guest session feature.

https://blueprints.launchpad.net/ubuntu/+spec/guest-session-sane-defaults

affects: firefox (Ubuntu) → lightdm (Ubuntu)
Adam Niedling (krychek)
tags: added: saucy
Revision history for this message
Adam Niedling (krychek) wrote :

The solution of bug #435930 kind of solves this problem by explaining the nature of guest mode to the users.
I don't think it can be expected by the Ubuntu developer team to change the behaviour of each software to make them foolproof in guest mode.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.