The security team consider the existing behaviour is fine - ie. automatically connect without authentication when an admin session is logged in and is an active seat (ie. the screen / session is not switched to some other users sessions / VT), and the screen is unlocked.
If someone has direct physical access to your machine they can achieve a lot already (say for instance they could connect an-inline USB keylogger or similar http://www.keelog.com/) - so I don't see this as any higher risk for TB3. Also agree with @seb128's comments in this regard too. Finally, I also agree with upstream's rationale that it is not helpful or useful to ask the user to authorize - training users to just click Yes to get things done is not an effective security strategy. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1800715 Title: Prompt for credential when it shouldn't To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bolt/+bug/1800715/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
