How To Share GUI Logon Password Timeout Between Different Applications

Cyberpunk_Is_Bae · 2020-05-29 11:27:20

I would like my system to be able to take a single instance of my password (let's say it's "password") and remember that I recently typed it, throughout the system.

Currently, when I log into my window manager (KDE) I type "password" and then if I want to run a program soon thereafter (let's say within 5 minutes) from the terminal, I need to retype it. Then if I want to do something serious (like use a package manager front-end, update antivirus, or make a system change) I need to type in "password" yet again.

I would like logging into the window manager to inform the system that I have authorized it to make significant changes. Although I wonder if there are any significant security vulnerabilities I would be opening up by doing this, and are there any mitigations?

Thanks very much for reading my post, and for any help.

Last edited by Cyberpunk_Is_Bae (2020-05-29 11:28:40)

Awebb · 2020-05-29 14:14:48

1. You start something with elevated rights, which flags your session as elevated for, say, 5 minutes.
2. You start, say, the Whatsapp messenger.
3. The Whatsapp messenger starts something with elevated rights. Since your session is flagged as "may sudo" for 5 mins, you won't even notice.
4. Welcome to the botnet.

Would you, as a developer, write some feature that's been in the pipeline for years, or create a workaround for the handful of people, who somehow need elevated rights every few minutes?

Cyberpunk_Is_Bae · 2020-05-31 00:45:15

Is there not already a keyring behavior that exists in the console and in the window manager (two patterns, separately)?

It seems like sometimes I don't need to retype my password if I do two things quickly in succession within a few minutes.

It seems like password timeouts are pretty standard, but maybe I'm incorrect?

seth · 2020-05-31 05:46:27

The first problem is that you're probably using different elevation methods (polkit for the GUI stuff, sudo rather than pkexec in the text shell)
The next problem is that the polkit rule for the action you perform needs to be to set auth_*_keep
Then you probably want the authorization to be cross action/shell - I'm not sure whether polkit allows this at all and while sudo has a cross-shell feature, it's the most stupid idea ever to be activated.

To add to Awebb, there's a reason why you don't login as root itfp.
Now what you ask for is to make your login root for 5 minutes. And then another 5 minutes. And the next five minutes thereafter…
You're essentially running an annoying root login.

Don't.

What you can do instead is to remove the authorization requirement for specific actions where you deem it reasonable enough. Eg. %wheel members on my systems are allowed to run "sudo /usr/bin/pacman -Syu" unconditionally.

Cyberpunk_Is_Bae · 2020-05-31 13:45:24

Ahhh you make it granular I love it. Are there any good guides on this or do I just man sudo?

seth · 2020-05-31 13:49:55

"man sudoers", but the sudoers file (visudo) actually has pretty straight forward examples.

Edit:
https://wiki.archlinux.org/index.php/Sudo
https://wiki.archlinux.org/index.php/Polkit

Last edited by seth (2020-05-31 13:50:27)

Arch Linux

#1 2020-05-29 11:27:20

How To Share GUI Logon Password Timeout Between Different Applications

#2 2020-05-29 14:14:48

Re: How To Share GUI Logon Password Timeout Between Different Applications

#3 2020-05-31 00:45:15

Re: How To Share GUI Logon Password Timeout Between Different Applications

#4 2020-05-31 05:46:27

Re: How To Share GUI Logon Password Timeout Between Different Applications

#5 2020-05-31 13:45:24

Re: How To Share GUI Logon Password Timeout Between Different Applications

#6 2020-05-31 13:49:55

Re: How To Share GUI Logon Password Timeout Between Different Applications

Board footer