On Sat Jan 24 11:00, Reinhard Tartler wrote: > Josselin Mouette <joss@debian.org> writes: > > > I think Steve has a point, and as he explains, this is not a big > > security issue; however it is breaking the expectations you have when > > logging as another user. For example, it is not expected that starting > > an application as the other user will re-use the running one, and it is > > not expected that accessing the GNOME keyring will show the passwords of > > the original user. > > Well, then how about gnome-keyring or other applications not expecting > that behaviour should then check the effective user id in addition to > the session cookie in the environment variable? > > In any case, this behaviour should probably be somewhere properly > documented, at least in the developer and/or user documentation of > gnome-keyring (I have to admit that I didn't check it myself, since I > haven't developed an application which uses gnome-keyring yet). Well, if they are using DBUS this should be fine. You cannot connect to a session bus with a uid other than the one it is running as (including root) Matt -- Matthew Johnson
Attachment:
signature.asc
Description: Digital signature