On Sat Jan 24 11:00, Reinhard Tartler wrote:
> Josselin Mouette <j...@debian.org> writes:
> 
> > I think Steve has a point, and as he explains, this is not a big
> > security issue; however it is breaking the expectations you have when
> > logging as another user. For example, it is not expected that starting
> > an application as the other user will re-use the running one, and it is
> > not expected that accessing the GNOME keyring will show the passwords of
> > the original user.
> 
> Well, then how about gnome-keyring or other applications not expecting
> that behaviour should then check the effective user id in addition to
> the session cookie in the environment variable?
> 
> In any case, this behaviour should probably be somewhere properly
> documented, at least in the developer and/or user documentation of
> gnome-keyring (I have to admit that I didn't check it myself, since I
> haven't developed an application which uses gnome-keyring yet).

Well, if they are using DBUS this should be fine. You cannot connect to
a session bus with a uid other than the one it is running as (including
root)

Matt

-- 
Matthew Johnson

Attachment: signature.asc
Description: Digital signature

Reply via email to