Welcome to the world of running root programs under X :( The injection of X events into running root applications is generally feasible. It is even more easy to ptrace() all user's processes and try whether they have a sudo tty ticket. The latter method is even easier and just requires 10 lines of shell and an installed gdb.
Therefore I unmarked this as security/private, since it is nothing special. I keep it open since it might be fixed in Feisty. However, I believe that it does make senese to not make the terminal read-only, because sometimes dpkg asks conffile questions, and some broken packages might even ask interactive questions without using debconf. I leave the judgement of whether to keep this open to Michael. ** Visibility changed to: Public ** This bug is no longer flagged as a security issue -- The build-in terminal is not set read-only https://launchpad.net/bugs/43328 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs