Package: gksu Version: 2.0.0-1 Severity: wishlist This is a wishlist bug: I wish 'man gksu' would be improved to warn about the issue.
Description of the problem: man gksu mentions that gksu can "lock" keyboard, mouse and focus before it asks for a password. This can easily give the misconception that other programs running with the privileges of the user could not capture the password. For example wikipedia claims "If either gksudo's "lock" feature or UAC's Secure Desktop were compromised or disabled, malicious applications could gain administrator privileges by using keystroke logging to record the administrator's password;" http://en.wikipedia.org/wiki/Comparison_of_privilege_authorization_features This claim is untrue since a malicious application running with the privileges of the user can run strace -p `pidof gksu` -s 4096 -o strace.out and later recover the password (here "test1234") from strace.out: ... write(13, "test1234\0", 9) = 9 write(13, "\n", 1) = 1 read(13, "\r\n", 255) = 2 read(13, "su: Authentication failure\r\nSorry.\r\n", 255) = 36 ... -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-5-686-bigmem Locale: LANG=C, LC_CTYPE=fi_FI (charmap=ISO-8859-1) Versions of packages gksu depends on: ii gnome-keyring 0.6.0-3 GNOME keyring services (daemon and ii libatk1.0-0 1.12.4-3 The ATK accessibility toolkit ii libc6 2.3.6.ds1-13etch5 GNU C Library: Shared libraries ii libcairo2 1.2.4-4 The Cairo 2D vector graphics libra ii libfontconfig1 2.4.2-1.2 generic font configuration library ii libgconf2-4 2.16.1-1 GNOME configuration database syste ii libgksu2-0 2.0.3-7 library providing su and sudo func ii libglib2.0-0 2.12.4-2 The GLib library of C routines ii libgnome-keyring0 0.6.0-3 GNOME keyring services library ii libgtk2.0-0 2.8.20-7 The GTK+ graphical user interface ii liborbit2 1:2.14.3-0.2 libraries for ORBit2 - a CORBA ORB ii libpango1.0-0 1.14.8-5 Layout and rendering of internatio ii libstartup-notificatio 0.8-2 library for program launch feedbac ii libx11-6 2:1.0.3-7 X11 client-side library ii libxcursor1 1.1.7-4 X cursor management library ii libxext6 1:1.0.1-2 X11 miscellaneous extension librar ii libxfixes3 1:4.0.1-5 X11 miscellaneous 'fixes' extensio ii libxi6 1:1.0.1-4 X11 Input extension library ii libxinerama1 1:1.0.1-4.1 X11 Xinerama extension library ii libxrandr2 2:1.1.0.2-5 X11 RandR extension library ii libxrender1 1:0.9.1-3 X Rendering Extension client libra ii sudo 1.6.8p12-4 Provide limited super user privile gksu recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]