Pointer grabs causing accessibility issues! Why not deprecate them?
David Zeuthen
david at fubar.dk
Tue Apr 29 22:51:27 PDT 2008
On Tue, 2008-04-29 at 21:43 -0400, Eamon Walsh wrote:
> Except XQueryKeymap and XQueryPointer allow complete recovery of the
> input regardless of grabs. Are the PolicyKit people aware of this?
Certainly, the grabbing in the PolicyKit authentication dialog is not
for really for security per se [1], it's simply there to avoid things
like people entering their password into their IRC client etc. That's
also why we don't even bother grab properly (if we don't get the grab
within ten tries we just proceed without grabbing).
(Btw, contrary to popular belief, the main point about PolicyKit isn't
really the password dialog; people who think that entering a password to
do mundane tasks like changing the time zone on their _personal_ laptop
etc. adds security are somewhat misguided [2]. No, the point really is
that PolicyKit is an authorization framework; the bit about password
dialogs are only there because most consumer/hobbyist systems don't have
a system administrator to grant the proper authorizations to the user.
And to ship a general purpose OS one wants to err on the safe side, e.g.
grant as few privileges by default. Ideally, users wouldn't have to
bother with annoying password dialogs that interrupt their work. The way
PolicyKit works right now should help minimize this through allowing
users to retain authorizations [3].)
David
[1] : I think there are much larger issues including object labeling in
the windowing system (e.g. XACE / SELinux integration), a way to write
secure GTK+ apps etc. that needs to be solved before that can be
considered. Or, perhaps, forcing to users to use the SAK to go to a
secure desktop (e.g. another X server) like in Windows. And then ask for
the password. And then there's the a11y tools to consider (on screen
keyboards / screen readers); they too need to be as secure as the
password dialog since they need to interact with it. Tough problem.
[2] : But you always wants the authentication dialogs for trusted path;
e.g. some programs (modem dialers) really wants to know the intent to do
an operation (like calling a 1-900 number at $50 / minute in a foreign
country) stems from the human being operating the system. Things like
that.
[3] : but, of course, such policies can be heavily tweaked / customized
to meet the requirements of the user / system / site / organization etc.
More information about the xorg
mailing list