Ubuntu
thunar package

Thunar can open LUKS device in spite of "Forget Password immediately"

Bug #1879095 reported by ^rooker
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
thunar (Ubuntu)
New
Undecided
Unassigned

Bug Description

Xubuntu 18.04.3

When opening a LUKS device in Thunar, it asks for the password. When I select the option "Forget password immediately", I would expect Thunar to ask me again, once I've closed and re-opened Thunar.

Where is the difference to "Remember password until you logout"?

How can I achieve the behavior that it "only works once"?

Thank you very much in advance,
^Rooker

btw: Could this actually be a security related issue? Since someone could access the LUKS data while the user is still logged in or so?

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: thunar 1.6.15-0ubuntu1.18.04.1
ProcVersionSignature: Ubuntu 5.3.0-46.38~18.04.1-generic 5.3.18
Uname: Linux 5.3.0-46-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia
ApportVersion: 2.20.9-0ubuntu7.14
Architecture: amd64
CurrentDesktop: XFCE
Date: Sat May 16 22:35:34 2020
ExecutablePath: /usr/bin/thunar
InstallationDate: Installed on 2020-04-24 (22 days ago)
InstallationMedia: Xubuntu 18.04.4 LTS "Bionic Beaver" - Release amd64 (20200203.1)
SourcePackage: thunar
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
^rooker (rooker) wrote :
Revision history for this message
Alex Murray (alexmurray) wrote :

Once a LUKS device is unlocked it is accessible without the password - so I think what is happening is that you are unlocking the device via Thunar and then it remains unlocked, so even though Thunar has forgotten the password, it does not need it to access the device anymore. You need to relock the LUKS device then to prevent further access. This seems more like a UX issue where it is not clear what the expectation may be for the user rather than a security issue.

information type: Private Security → Public
Revision history for this message
Alex Murray (alexmurray) wrote : Bug is not a security issue

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.

Revision history for this message
^rooker (rooker) wrote :

Thanks for clarifying this :)
And I'm actually happy that it is *not* a security issue.

I agree that it seems like a UX issue: As I've mentioned, I was expecting a different behavior based on the wording of the password-store dialog.

I understand it's not a bug, but I assume I may not be the only one with these unclear assumptions: what would be the right place to engage in a discussion about this?
Maybe the option "convert to a question"?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.