too few information on Authentication Dialog

Bug #1451398 reported by Luc Pi on 2015-05-04
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
policykit-1 (Ubuntu)
Wishlist
Unassigned
policykit-1-gnome (Ubuntu)
Wishlist
Unassigned

Bug Description

The "Authentication required" dialog gives really too few information about what requested it.

This happens for example for bug reports for system programs, but not only.
The question has also been asked, for example here:
http://unix.stackexchange.com/questions/87288/how-do-i-tell-what-program-is-asking-for-a-password

We have no clue where the dialog comes from.

Especially as sometimes there is a delay between some action and the time when the dialog pops up, so it may seems it comes from nowhere.

Also as the dialog uses a different theme (dark theme) compared to the application that may have triggered the dialog.

I am no security expert, but I see this as a security vulnerability. I basically trust my system, but still I feel insecure typing my admin password in a window that pops up "randomly".

What grants the origin of this dialog box?

ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: policykit-1 0.105-8ubuntu2
Uname: Linux 4.1.0-040100rc1-generic i686
ApportVersion: 2.17.2-0ubuntu1
Architecture: i386
CurrentDesktop: GNOME
Date: Mon May 4 12:24:27 2015
InstallationDate: Installed on 2014-06-17 (320 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release i386 (20140417)
JournalErrors: Error: command ['journalctl', '-b', '--priority', 'warning'] failed with exit code 1: No journal files were found.
SourcePackage: policykit-1
UpgradeStatus: Upgraded to vivid on 2015-04-27 (6 days ago)

Luc Pi (oluc) wrote :
information type: Private Security → Public Security
Changed in policykit-1 (Ubuntu):
status: New → Confirmed
Changed in policykit-1-gnome (Ubuntu):
status: New → Confirmed
Changed in policykit-1 (Ubuntu):
importance: Undecided → Wishlist
Changed in policykit-1-gnome (Ubuntu):
importance: Undecided → Wishlist
Luc Pi (oluc) wrote :

Additionally,

it seems that the dialog is blocking the screen, preventing the user to check other windows

If I cancel the authentication, I am not sure how to restart the action (that triggered the authentication request) later, like for example an automatic bug report...

Luc Pi (oluc) wrote :

My bank uses double identification (website + mobile app). When the mobile app asks for a pin to confirm a payment, it displays the payment information. So I know that the confirmation request comes from the payment I just initiated, and that it's not a random window that pops up from nowhere.

I think the Authentication Dialog should work the same way, displaying information from the originating application, something like:

    The application "foo bar" is requesting authentication for
    "doing this and that".

For example:
==================================
 Authentication request

 The application "Software Update" is requesting authentication for
 "installing gnome-maps, gnome-photos, gnome-foo, gnome-bar"

 Please enter...

 Password: [_____________]
==================================

If the explanation string starts to be long,
there could be a summary string,
and a longuer one in a collapsable container (or alike)

For example:
==================================
 Authentication request

 The application "Software Update" is requesting authentication for
 "installing gnome-maps, gnome-photos, gnome-foo, gnome-bar" and more...
 [v ### //see more// ########################################]

 Please enter...

 Password: [_____________]
==================================

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers