desktop should disable automounting when screen is locked
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
GNOME Settings Daemon |
Fix Released
|
Medium
|
|||
nautilus (Ubuntu) |
Fix Released
|
Medium
|
Martin Pitt | ||
Natty |
Fix Released
|
Medium
|
Martin Pitt |
Bug Description
Binary package hint: gnome-screensaver
To avoid auto-run attacks on the system from USB auto-mounting, the desktop should revoke the "at-console" policy kit privileges while the screen is locked, or not auto-mount inserted devices, similar to how gnome-keyring flushes all keys the when locking the screen.
http://
ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: gnome-screensaver 2.30.2-0ubuntu1
ProcVersionSign
Uname: Linux 2.6.37-12-generic x86_64
Architecture: amd64
Date: Mon Feb 7 18:24:18 2011
GconfGnomeSession:
idle_delay = 5
/desktop/
windowmanager = metacity
GnomeSessionIdl
GnomeSessionInh
ProcEnviron:
LANGUAGE=en_US:en
PATH=(custom, user)
LANG=en_US.UTF-8
LC_MESSAGES=
SHELL=/bin/bash
SourcePackage: gnome-screensaver
WindowManager: metacity
XorgConf:
Section "ServerFlags"
Option "DontZap" "False"
EndSection
affects: | gnome-screensaver (Ubuntu Natty) → nautilus (Ubuntu Natty) |
Changed in nautilus: | |
importance: | Unknown → Medium |
status: | Unknown → New |
Changed in nautilus (Ubuntu Natty): | |
status: | Triaged → In Progress |
affects: | nautilus → gnome-settings-daemon |
Changed in gnome-settings-daemon: | |
status: | New → Fix Released |
Changed in nautilus (Ubuntu Natty): | |
status: | In Progress → Fix Committed |
Revoking at_console privileges is neither practical nor desired. It would mean that you couldn't access the sound card or your modem any more while the screen is locked; also, this would mean that the desktop would need to get the privilege to give back at_console privileges to itself when unlocking, which really shouldn't happen.
I think for this scenario it would make more sense to disable automounting while the screen is locked. This needs to happen in nautilus, or perhaps the gvfs volume daemon. I'll discuss that with upstream.
Moving milestone, as it isn't a release blocker, and the kind of bug fix that can be done after FF.