Serious flaw with Mint 17 Mate 64-bit pkexec window

[linx255]

I ran the script but the pkexec window does not grab focus in any circumstance, whether I alt+tab away & back / not.
I call it a serious flaw because hypothetically the password could get typed into a chat window or a document if it happened to jump to that window and the user might not notice, especially if that window was in the background and/or they weren't looking closely.

_____


By the way, I originally posted this topic in 'Other topics', as I thought the problem was exclusively related to 'Update Manager', however, I changed it to just pkexec window after discovering this is not the case for me, though it is for Monsta. Sorry for any confusion.

I don't know of any settings in Control Center, or any Linux desktop settings anywhere that can be altered. ( Recall years back using Solaris and Red Hat, which gave you the ability to customize focus behavior, but nothing close to that exists in Mint that I can tell. ) We're trying to determine why the pkexec window doesn't grab focus consistently across applications, desktop managers, and machines. It's a substantial security hazard because you see the window pop up and type your password only to find you've typed it into another window, possibly a text editor or field.

The results on this topic so far are interesting; it seems to be a combination of factors. To recap, the window focus is either granted or withheld to the pkexec window, determined:

1) randomly by unknown condition(s) when launched from update manager ( in MATE, per Monsta )
2) by whether update manager has already launched pkexec within the same session ( my observation; I haven't yet narrowed down to whether it's the update manager session or Mint session )
3) by the application that launched it ( in MATE, my observation; works from terminal always, but not other applications including / besides update manager )
4) by the desktop manager ( mixed for MATE vs always for XFCE / Cinnamon, per Monsta )
5) by whether the application parent to pkexec was alt+tabbed away from and back ( do I understand that correctly? )


Monsta and I get different window focus behaviors in Mint 17 MATE 64-bit. At this point, we should be asking what differences in our systems might shed more light. However, out of the infinite possible differences between 2 systems, don't know which ones would be worth looking into that may explain these conflicting results. Unfortunately no time to test out Cinnamon / XFCE or another machine. Don't recall this being a problem with any previous version of Mint nor any other Linux distro.

It's interesting how, for me, running pkexec from terminal always gets focus, but the never gets focus when launched from the above python script, when I run it from terminal. I'll try the alt+tabbing with update manager next time I get a chance.

[linx255]

And another thing: I've noticed sometimes, if not always, when I launch Firefox from my panel it does not get focus. No other program on my panel does this. I wonder if there is any common thread here.

[Monsta]

I did one more experiment (thanks to Stefano-K for the hint), this time replacing MATE's window manager (Marco) with Xfce's one (xfwm4). The issue is not reproducible with it, just as it isn't in Cinnamon or Xfce, so I concluded this is a bug in Marco.

However, if you replace Marco with Metacity (Marco is a fork of Metacity), the issue is reproducible, which might indicate this is a legacy bug.

I've filed a bug report to MATE developers.

[linx255]

Thank you

[Monsta]

Fixed in mate-polkit 1.10.1 which has been released yesterday. Wait for Clem to push this release to Mint repos.

[linx255]

I'm using mate-polkit 1.8.0-0+qiana, but I still encounter this problem with the password window and other windows, such as various ones in Libreoffice Calc, just FYI.
It happens when I click on Synaptic Package Manager in Control Center.
I am still using Mint 17, don't know if this fix was introduced into a later ver of Mint.

[karlchen]

Hello, linx255.

Looks as if Mint 17 Qiana and Mint 17.1 Rebecca still use the unfixed mate-polkit 1.8.
Mint 17.2 Rafaela seems to use the bug-fixed mate-polkit 1.10.
Mint 17.3 Rosa brings along mate-polkit 1.12, which sould hold the bug-fix as well
Cf. http://packages.linuxmint.com and check mate-polkit for Qiana, Rebecca, Rafaela and Rosa
So MATE users of Qiana and Rebecca have not received the bug-fixed mate-polkit, yet. Maybe some day they will, maybe they won't.

Cheers,
Karl