Comment 11 for bug 1800715

Revision history for this message
Alex Murray (alexmurray) wrote :

The security team consider the existing behaviour is fine - ie. automatically connect without authentication when an admin session is logged in and is an active seat (ie. the screen / session is not switched to some other users sessions / VT), and the screen is unlocked.

If someone has direct physical access to your machine they can achieve a lot already (say for instance they could connect an-inline USB keylogger or similar http://www.keelog.com/) - so I don't see this as any higher risk for TB3. Also agree with @seb128's comments in this regard too.

Finally, I also agree with upstream's rationale that it is not helpful or useful to ask the user to authorize - training users to just click Yes to get things done is not an effective security strategy.