Ubuntu
gnome-keyring package

"An application wants access to the keyring" (which application is not specified)

Bug #1293790 reported by Jon Davis on 2014-03-17

This bug report is a duplicate of: Bug #246185: "Unlock Private Key" dialog mysteriously refers to "an application". Edit Remove

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	gnome-keyring (Ubuntu)	New	Undecided	Unassigned

Bug Description

I have Ubuntu 13.10 Desktop installed. I am being prompted with this message: "Title: 'Unlock Keyring' - An application wants access to the keyring 'default', but it is locked. Password? [____]" Note that in this case there is no "Details >" expansion control, no "reveal more", no button to "view details" etc.

This is not an unfamiliar message, similar concepts exist for both Windows and Mac, and the behavior derives from earlier forms of Linux. The idea of a keyring specifically is something I used on the Mac.

I have some beef with this message in Ubuntu's form, however. What application is requesting this? Accessing a keyring with a password is asking for a Master password, one password to rule them all. One cannot, and should not, just hand out this master password to any application. So what application wants access to the keyring??

IMO this failure to disclose who is asking for the master password is critically bad security.

Tags:

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2014-03-17:

Agreed, the dialog is annoying. 'update-manager' isn't the correct component though, as I see this dialog often with workflows that don't use the update manager.

information type:

Private Security → Public Security

Revision history for this message

Jon Davis (stimpy77) wrote on 2014-03-18:

As the OP'r for the record I'm not concerned about the "annoyance" of the dialog--that is a separate concern that I came to realize my actions contribute to the problem by choosing to auto-login. My concern is with the security vulnerability in not disclosing which app is requesting the master password. That is an unacceptable UI pattern going forward.

Sebastien Bacher (seb128) on 2014-03-19

affects:

update-manager (Ubuntu) → gnome-keyring (Ubuntu)

Revision history for this message

Jon Davis (stimpy77) wrote on 2014-03-21:

Re: This bug report is a duplicate of: Bug #246185

I had only been on Ubuntu Desktop for hours before deciding to set up my account to post this bug as I consider it pretty serious. You mean to tell me this has been a known problem since seven years ago, and the problem still exists? Does anybody else use this thing?
Retracting my recommendation ...

Revision history for this message

Sebastien Bacher (seb128) wrote on 2014-03-21:

read https://bugzilla.gnome.org/show_bug.cgi?id=574315 for specifics details on why having the label/app name wouldn't help much, if you are interested

Revision history for this message

Jon Davis (stimpy77) wrote on 2014-03-21:

Yeah. "At this point putting up a label for which application is accessing the secret
isn't that easy, and it's very hard to get it completely right. It would be
nice to get this working, but unless someone pitches in with a plan/code, it's
currently at a lower priority than other gnome-keyring work."

.. the way I read that is, ..

"Sorry, it turns out that even though we know that 'an application' wants to gain access to the keyring, it's too hawrd to figure out how to track that. So, we're putting this off. Indefinitely."

Open source developers. Gotta love 'em. (Yes this is a snide remark. I'm embarrassed for these people. A desktop OS exists FOR A USER. So if a security message cannot be properly constructing its message because to properly construct its message is too hawrd, the message should not be shown. Redesign the keyring feature or drop the feature.)

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2014-03-21:

Stimpy, I came to a different conclusion from the upstream bug report.

The problem isn't figuring out which _one_ application wants the key, it's that the key will be available to _all_ the desktop applications.

Fixing this issue will take significant work -- switching to Mir or Wayland, for a start -- and providing mandatory access control policies for desktop applications.

The problem isn't just with the message presented to the user.

Thanks

Revision history for this message

Jon Davis (stimpy77) wrote on 2014-03-22:

I picked up on that too. This is why I said, "Redesign the keyring feature or drop the feature." Unlocking for all apps is already happening, and already a security vulnerability. But since *that* issue is a different bug, the least you can do is communicate which application is requesting access, *and* inform the user that clicking "Allow" will also unlock the keyring for other applications. Full disclosure. Why the secrecy? It's just another sentence, not like it means writing a book to the user. Give the user enough information to decide whether to click 'Allow' or not. Or, simply, drop the keyring feature.