Require password when starting usb-creator

Bug #1832337 reported by Mike Salvatore on 2019-06-11
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
policykit-desktop-privileges (Ubuntu)
Undecided
Ubuntu Security Team
usb-creator (Ubuntu)
Undecided
Ubuntu Security Team

Bug Description

Because usb-creator performs privileged actions, it should require authentication prior to starting. policykit-desktop-privileges should be modified so that usb-creator requires password authentication prior to starting.

While it was a deliberate design decision to allow usb-creator to perform mounting and writing without authentication (see https://bugs.launchpad.net/ubuntu/+source/policykit-desktop-privileges/+bug/1568149), this decision should be revisited. Allowing the use of usb-creator without authentication presents an unnecessary security risk.

Marc Deslauriers (mdeslaur) wrote :

This will also require usb-creator to be modified to have a single policykit prompt.

Changed in usb-creator (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Changed in policykit-desktop-privileges (Ubuntu):
status: New → In Progress
Changed in usb-creator (Ubuntu):
status: New → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package usb-creator - 0.3.6

---------------
usb-creator (0.3.6) eoan; urgency=medium

  * Unmount device during image operation so a single policykit prompt can
    be displayed to the user. (LP: #1832337)

 -- Marc Deslauriers <email address hidden> Tue, 18 Jun 2019 14:19:59 -0400

Changed in usb-creator (Ubuntu):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package policykit-desktop-privileges - 0.21

---------------
policykit-desktop-privileges (0.21) eoan; urgency=medium

  * Don't allow usb-creator to overwrite devices without authentication.
    (LP: #1832337)

 -- Marc Deslauriers <email address hidden> Tue, 18 Jun 2019 13:56:08 -0400

Changed in policykit-desktop-privileges (Ubuntu):
status: In Progress → Fix Released
Bib (bybeu) wrote :

IIUC, when anyone who plugs a removable USB stick in a PC it is mounted in /media/<user>/<label> and, as long as the FS in the device does not support privileges attributes (e.g. FAT32), anyone is granted the rights to overwrite anything (but partitions ?) in the device. So I don't see why anyone would be bored with authentication for this task. Let me know if I forget something.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers