Bug#561448: libpam-alreadyloggedin: Fake sense of security?
Hello, Don't get me wrong with this bug. I am thankful for your packaging for Debian. It's just that I (we?) want to avoid upset users, that may discover that their system isn't as secure as they thought. On Thu, 2009-12-17 at 11:20 +0100, Jakub Wilk wrote: > Thanks for your report! > > * Frank Lin PIAT , 2009-12-17, 09:59: > >I am seriously concerned by the fake sense of security that such tool > >provides (I must say that some other pam modules are scarry). > > > >For instance, using vlock and libpam-alreadyloggedin on the same machine > >provides the same level of security as a blank password, if not less. > > Of course, if you take two arbitrary tools, you can always combine them > in a nonsensical way. Installing any two arbitrary tools, with their default settings, should never expose the system. (Let me know if you know any, I'll take care of filing bugs.) > Why should I care particularly about vlock? This is not specific to vlock. It's just the one at top of my mind. It is common for documentations to warn about security risk. > I thought that Unix software is supposed to assume that users know what > they do. We aren't in the 70s~90s anymore, Debian does target end-users. > >Please, add appropriate warning to this package description and README. > > Feel free to propose wording, but I really think the current description > clearly describes what this software do. Maybe something like: "Security note: The interaction with other programs that leaves console sessions active should be considered seriously, this especially applies to console screen-saver, like vlock." I tried to write it in a way which isn't too scary. You probably want to improve my suggestion, since you probably have a better understanding of the security implication of this tool than I do. > >BTW, It is recommended to submit an ITP bug before uploading a new > >package in the archive, so other DDs can provide feed-back. > > Why do you think I didn't submit one? I probably made a typo when I searched my debian-devel folder, sorry for the noise. Thanks, Franklin -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#561448: libpam-alreadyloggedin: Fake sense of security?
Thanks for your report! * Frank Lin PIAT , 2009-12-17, 09:59: I am seriously concerned by the fake sense of security that such tool provides (I must say that some other pam modules are scarry). For instance, using vlock and libpam-alreadyloggedin on the same machine provides the same level of security as a blank password, if not less. Of course, if you take two arbitrary tools, you can always combine them in a nonsensical way. Why should I care particularly about vlock? I thought that Unix software is supposed to assume that users know what they do. As of 2009, where most people use either XWindow/ssh/screen, I see little benefit using this tool (YMMV). Most packages in Debian are used only by tiny minority of users. What is wrong with that? Please, add appropriate warning to this package description and README. Feel free to propose wording, but I really think the current description clearly describes what this software do. BTW, It is recommended to submit an ITP bug before uploading a new package in the archive, so other DDs can provide feed-back. Why do you think I didn't submit one? -- Jakub Wilk -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#561448: libpam-alreadyloggedin: Fake sense of security?
Package: libpam-alreadyloggedin Version: 0.3-1 Severity: important Hello, I am seriously concerned by the fake sense of security that such tool provides (I must say that some other pam modules are scarry). For instance, using vlock and libpam-alreadyloggedin on the same machine provides the same level of security as a blank password, if not less. As of 2009, where most people use either XWindow/ssh/screen, I see little benefit using this tool (YMMV). Please, add appropriate warning to this package description and README. Thank you for your effort. Franklin BTW, It is recommended to submit an ITP bug before uploading a new package in the archive, so other DDs can provide feed-back. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
