Ubuntu
policykit-desktop-privileges package

Require password when starting usb-creator

Bug #1832337 reported by Mike Salvatore
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
policykit-desktop-privileges (Ubuntu)
Fix Released
Undecided
Ubuntu Security Team
usb-creator (Ubuntu)
Fix Released
Undecided
Ubuntu Security Team

Bug Description

Because usb-creator performs privileged actions, it should require authentication prior to starting. policykit-desktop-privileges should be modified so that usb-creator requires password authentication prior to starting.

While it was a deliberate design decision to allow usb-creator to perform mounting and writing without authentication (see https://bugs.launchpad.net/ubuntu/+source/policykit-desktop-privileges/+bug/1568149), this decision should be revisited. Allowing the use of usb-creator without authentication presents an unnecessary security risk.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This will also require usb-creator to be modified to have a single policykit prompt.

Changed in usb-creator (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Changed in policykit-desktop-privileges (Ubuntu):
status: New → In Progress
Changed in usb-creator (Ubuntu):
status: New → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package usb-creator - 0.3.6

---------------
usb-creator (0.3.6) eoan; urgency=medium

  * Unmount device during image operation so a single policykit prompt can
    be displayed to the user. (LP: #1832337)

 -- Marc Deslauriers <email address hidden> Tue, 18 Jun 2019 14:19:59 -0400

Changed in usb-creator (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package policykit-desktop-privileges - 0.21

---------------
policykit-desktop-privileges (0.21) eoan; urgency=medium

  * Don't allow usb-creator to overwrite devices without authentication.
    (LP: #1832337)

 -- Marc Deslauriers <email address hidden> Tue, 18 Jun 2019 13:56:08 -0400

Changed in policykit-desktop-privileges (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Bib (bybeu) wrote :

IIUC, when anyone who plugs a removable USB stick in a PC it is mounted in /media/<user>/<label> and, as long as the FS in the device does not support privileges attributes (e.g. FAT32), anyone is granted the rights to overwrite anything (but partitions ?) in the device. So I don't see why anyone would be bored with authentication for this task. Let me know if I forget something.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.