Debian Bug report logs - #474024
gksu: locking mouse/keyboard not enough to protect against keylogging

version graph

Package: gksu; Maintainer for gksu is Gustavo Noronha Silva <kov@debian.org>; Source for gksu is src:gksu.

Reported by: Timo Lindfors <timo.lindfors@iki.fi>

Date: Wed, 2 Apr 2008 19:54:01 UTC

Severity: important

Tags: fixed-upstream, security

Found in version gksu/2.0.0-1

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Gustavo Noronha Silva <kov@debian.org>:
Bug#474024; Package gksu. Full text and rfc822 format available.

Acknowledgement sent to Timo Lindfors <timo.lindfors@iki.fi>:
New Bug report received and forwarded. Copy sent to Gustavo Noronha Silva <kov@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Timo Lindfors <timo.lindfors@iki.fi>
To: bugs@debian.org
Subject: gksu: locking mouse/keyboard not enough to protect against keylogging
Date: Wed, 02 Apr 2008 22:53:41 +0300
Package: gksu
Version: 2.0.0-1
Severity: wishlist

This is a wishlist bug: I wish 'man gksu' would be improved to warn
about the issue.

Description of the problem:

man gksu mentions that gksu can "lock" keyboard, mouse and focus
before it asks for a password. This can easily give the misconception
that other programs running with the privileges of the user could not
capture the password. For example wikipedia claims

  "If either gksudo's "lock" feature or UAC's Secure Desktop were
   compromised or disabled, malicious applications could gain
   administrator privileges by using keystroke logging to record the
   administrator's password;"

http://en.wikipedia.org/wiki/Comparison_of_privilege_authorization_features

This claim is untrue since a malicious application running with the
privileges of the user can run

strace -p `pidof gksu` -s 4096 -o strace.out

and later recover the password (here "test1234") from strace.out:

...
write(13, "test1234\0", 9)              = 9
write(13, "\n", 1)                      = 1
read(13, "\r\n", 255)                   = 2
read(13, "su: Authentication failure\r\nSorry.\r\n", 255) = 36
...


-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-5-686-bigmem
Locale: LANG=C, LC_CTYPE=fi_FI (charmap=ISO-8859-1)

Versions of packages gksu depends on:
ii  gnome-keyring          0.6.0-3           GNOME keyring services (daemon and
ii  libatk1.0-0            1.12.4-3          The ATK accessibility toolkit
ii  libc6                  2.3.6.ds1-13etch5 GNU C Library: Shared libraries
ii  libcairo2              1.2.4-4           The Cairo 2D vector graphics libra
ii  libfontconfig1         2.4.2-1.2         generic font configuration library
ii  libgconf2-4            2.16.1-1          GNOME configuration database syste
ii  libgksu2-0             2.0.3-7           library providing su and sudo func
ii  libglib2.0-0           2.12.4-2          The GLib library of C routines
ii  libgnome-keyring0      0.6.0-3           GNOME keyring services library
ii  libgtk2.0-0            2.8.20-7          The GTK+ graphical user interface 
ii  liborbit2              1:2.14.3-0.2      libraries for ORBit2 - a CORBA ORB
ii  libpango1.0-0          1.14.8-5          Layout and rendering of internatio
ii  libstartup-notificatio 0.8-2             library for program launch feedbac
ii  libx11-6               2:1.0.3-7         X11 client-side library
ii  libxcursor1            1.1.7-4           X cursor management library
ii  libxext6               1:1.0.1-2         X11 miscellaneous extension librar
ii  libxfixes3             1:4.0.1-5         X11 miscellaneous 'fixes' extensio
ii  libxi6                 1:1.0.1-4         X11 Input extension library
ii  libxinerama1           1:1.0.1-4.1       X11 Xinerama extension library
ii  libxrandr2             2:1.1.0.2-5       X11 RandR extension library
ii  libxrender1            1:0.9.1-3         X Rendering Extension client libra
ii  sudo                   1.6.8p12-4        Provide limited super user privile

gksu recommends no packages.

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org, Gustavo Noronha Silva <kov@debian.org>:
Bug#474024; Package gksu. Full text and rfc822 format available.

Acknowledgement sent to 474024@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Gustavo Noronha Silva <kov@debian.org>. Full text and rfc822 format available.

Message #10 received at 474024@bugs.debian.org (full text, mbox):

From: Josselin Mouette <joss@debian.org>
To: Timo Lindfors <timo.lindfors@iki.fi>, 474024@bugs.debian.org
Subject: Re: Bug#474024: gksu: locking mouse/keyboard not enough to protect against keylogging
Date: Sat, 26 Apr 2008 23:19:10 +0200
[Message part 1 (text/plain, inline)]
severity 474024 important
tag 474024 + security
thanks

Le mercredi 02 avril 2008 à 22:53 +0300, Timo Lindfors a écrit :
> man gksu mentions that gksu can "lock" keyboard, mouse and focus
> before it asks for a password. This can easily give the misconception
> that other programs running with the privileges of the user could not
> capture the password.

> This claim is untrue since a malicious application running with the
> privileges of the user can run
> 
> strace -p `pidof gksu` -s 4096 -o strace.out
> 
> and later recover the password (here "test1234") from strace.out:

Indeed, gksu should be made setgid something to protect against such
attacks.

Cheers,
-- 
 .''`.
: :' :      We are debian.org. Lower your prices, surrender your code.
`. `'       We will add your hardware and software distinctiveness to
  `-        our own. Resistance is futile.
[signature.asc (application/pgp-signature, inline)]

Severity set to `important' from `wishlist' Request was from Josselin Mouette <joss@debian.org> to control@bugs.debian.org. (Sat, 26 Apr 2008 21:21:05 GMT) Full text and rfc822 format available.

Tags added: security Request was from Josselin Mouette <joss@debian.org> to control@bugs.debian.org. (Sat, 26 Apr 2008 21:21:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Gustavo Noronha Silva <kov@debian.org>:
Bug#474024; Package gksu. Full text and rfc822 format available.

Acknowledgement sent to Timo Juhani Lindfors <timo.lindfors@iki.fi>:
Extra info received and forwarded to list. Copy sent to Gustavo Noronha Silva <kov@debian.org>. Full text and rfc822 format available.

Message #19 received at 474024@bugs.debian.org (full text, mbox):

From: Timo Juhani Lindfors <timo.lindfors@iki.fi>
To: 474024@bugs.debian.org
Subject: Re: Bug#474024: gksu: locking mouse/keyboard not enough to protect against keylogging
Date: Sat, 03 May 2008 14:32:23 +0300
Hi,

Josselin Mouette <joss@debian.org> writes:
> Indeed, gksu should be made setgid something to protect against such
> attacks.

Hmm, is this really worth it? Couldn't the malicious process next just
do

1) cp /usr/bin/gksudo /tmp/bin/gksudo

2) ptrace POKETEXT all potential parents of gksudo to call
   /tmp/bin/gksudo instead

What if gksudo showed a "personalized greeting text" that only the
local user knows? This way user could detect if she/he is actually
talking to the real setgid gksudo that can read the "secret" greeting
from disk. (Of course normal people are way too lazy to set something
like this.)

best regards,
Timo Lindfors




Information forwarded to debian-bugs-dist@lists.debian.org, Gustavo Noronha Silva <kov@debian.org>:
Bug#474024; Package gksu. (Tue, 05 May 2009 06:00:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Timo Juhani Lindfors <timo.lindfors@iki.fi>:
Extra info received and forwarded to list. Copy sent to Gustavo Noronha Silva <kov@debian.org>. (Tue, 05 May 2009 06:00:02 GMT) Full text and rfc822 format available.

Message #24 received at 474024@bugs.debian.org (full text, mbox):

From: Timo Juhani Lindfors <timo.lindfors@iki.fi>
To: 474024@bugs.debian.org
Subject: malicious applications can print text over gksu window
Date: Mon, 04 May 2009 23:07:12 +0300
Hi,

if I have compromised the account of the normal user of the machine
and run

gksu dangerous-command

followed by

osd_cat -o 290 -i 410 -c black -d 100 <(echo harmless-command)

then the user sitting near the system will think that he is giving
permission to run harmless-command even though he is really going to
run dangerous-command.

I still propose that "man gksu" should be improved to warn about these
issues so that people don't get false sense of security.

best regards,
Timo Lindfors






Information forwarded to debian-bugs-dist@lists.debian.org, Gustavo Noronha Silva <kov@debian.org>:
Bug#474024; Package gksu. (Tue, 05 May 2009 09:51:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to 474024@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Gustavo Noronha Silva <kov@debian.org>. (Tue, 05 May 2009 09:51:05 GMT) Full text and rfc822 format available.

Message #29 received at 474024@bugs.debian.org (full text, mbox):

From: Gustavo Noronha <kov@debian.org>
To: Timo Juhani Lindfors <timo.lindfors@iki.fi>, 474024@bugs.debian.org
Subject: Re: Bug#474024: malicious applications can print text over gksu window
Date: Tue, 05 May 2009 06:46:46 -0300
[Message part 1 (text/plain, inline)]
On Mon, 2009-05-04 at 23:07 +0300, Timo Juhani Lindfors wrote:
> Hi,

Hey,

> I still propose that "man gksu" should be improved to warn about these
> issues so that people don't get false sense of security.

Sounds good! Would you provide a patch to the manpage, explaining these
issues?

Thanks!

-- 
Gustavo Noronha <kov@debian.org>
Debian Project
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Gustavo Noronha Silva <kov@debian.org>:
Bug#474024; Package gksu. (Tue, 05 May 2009 10:06:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Timo Juhani Lindfors <timo.lindfors@iki.fi>:
Extra info received and forwarded to list. Copy sent to Gustavo Noronha Silva <kov@debian.org>. (Tue, 05 May 2009 10:06:02 GMT) Full text and rfc822 format available.

Message #34 received at 474024@bugs.debian.org (full text, mbox):

From: Timo Juhani Lindfors <timo.lindfors@iki.fi>
To: 474024@bugs.debian.org
Subject: Re: Bug#474024: malicious applications can print text over gksu window
Date: Tue, 05 May 2009 13:00:29 +0300
[Message part 1 (text/plain, inline)]
Gustavo Noronha <kov@debian.org> writes:
> Sounds good! Would you provide a patch to the manpage, explaining these
> issues?

Would the attached patch do?

[gksu-ptrace-warning1.patch (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Gustavo Noronha Silva <kov@debian.org>:
Bug#474024; Package gksu. (Sat, 16 May 2009 13:00:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to 474024@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Gustavo Noronha Silva <kov@debian.org>. (Sat, 16 May 2009 13:00:02 GMT) Full text and rfc822 format available.

Message #39 received at 474024@bugs.debian.org (full text, mbox):

From: Gustavo Noronha <kov@debian.org>
To: Timo Juhani Lindfors <timo.lindfors@iki.fi>, 474024@bugs.debian.org
Subject: Re: Bug#474024: malicious applications can print text over gksu window
Date: Sat, 16 May 2009 09:56:13 -0300
On Tue, 2009-05-05 at 13:00 +0300, Timo Juhani Lindfors wrote:
> Gustavo Noronha <kov@debian.org> writes:
> > Sounds good! Would you provide a patch to the manpage, explaining these
> > issues?
> 
> Would the attached patch do?

I think saying it's ineffective is a bit too much. It does block
applications which are using a specific technique, so it's partially
effective. But otherwise looks good to me.

I'll have it applied with a minor modification:

able to read the password by eavesdropping the X connection. However,
this is ineffective against malicious applications that use ptrace() to
capture the password. See http://bugs.debian.org/474024 for more info.

Sounds good to you?

-- 
Gustavo Noronha <kov@debian.org>
Debian Project





Information forwarded to debian-bugs-dist@lists.debian.org, Gustavo Noronha Silva <kov@debian.org>:
Bug#474024; Package gksu. (Sat, 16 May 2009 13:15:18 GMT) Full text and rfc822 format available.

Acknowledgement sent to Timo Juhani Lindfors <timo.lindfors@iki.fi>:
Extra info received and forwarded to list. Copy sent to Gustavo Noronha Silva <kov@debian.org>. (Sat, 16 May 2009 13:15:18 GMT) Full text and rfc822 format available.

Message #44 received at 474024@bugs.debian.org (full text, mbox):

From: Timo Juhani Lindfors <timo.lindfors@iki.fi>
To: 474024@bugs.debian.org
Subject: Re: Bug#474024: malicious applications can print text over gksu window
Date: Sat, 16 May 2009 16:14:41 +0300
Gustavo Noronha <kov@debian.org> writes:
> able to read the password by eavesdropping the X connection. However,
> this is ineffective against malicious applications that use ptrace() to
> capture the password. See http://bugs.debian.org/474024 for more info.

Doesn't this give the wrong impression? Somebody might disable ptrace
from their system and think they are safe?

In reality also ltrace (using LD_PRELOAD) can capture the password.





Information forwarded to debian-bugs-dist@lists.debian.org, Gustavo Noronha Silva <kov@debian.org>:
Bug#474024; Package gksu. (Tue, 19 May 2009 01:21:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to 474024@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Gustavo Noronha Silva <kov@debian.org>. (Tue, 19 May 2009 01:21:05 GMT) Full text and rfc822 format available.

Message #49 received at 474024@bugs.debian.org (full text, mbox):

From: Gustavo Noronha <kov@debian.org>
To: Timo Juhani Lindfors <timo.lindfors@iki.fi>, 474024@bugs.debian.org
Subject: Re: Bug#474024: malicious applications can print text over gksu window
Date: Mon, 18 May 2009 22:16:59 -0300
tag 474024 fixed-upstream
thanks

On Sat, 2009-05-16 at 16:14 +0300, Timo Juhani Lindfors wrote:
> Gustavo Noronha <kov@debian.org> writes:
> > able to read the password by eavesdropping the X connection. However,
> > this is ineffective against malicious applications that use ptrace() to
> > capture the password. See http://bugs.debian.org/474024 for more info.
> 
> Doesn't this give the wrong impression? Somebody might disable ptrace
> from their system and think they are safe?
> 
> In reality also ltrace (using LD_PRELOAD) can capture the password.

I have committed the following:

+.PP
+.B gksu
+tries to "lock" the keyboard, mouse and focus to prevent other
+applications from being able to read the password by eavesdropping the
+X connection. However, this is not enough to ensure 100% protection,
+since malicious applications can still use tracing calls such as
+ptrace() to capture the password. See Debian bug #474024 for more
+info.

Thanks for your work on this!

See you,

-- 
Gustavo Noronha <kov@debian.org>
Debian Project





Tags added: fixed-upstream Request was from Gustavo Noronha <kov@debian.org> to control@bugs.debian.org. (Tue, 19 May 2009 02:00:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Gustavo Noronha Silva <kov@debian.org>:
Bug#474024; Package gksu. (Sat, 30 Oct 2010 22:00:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Yury V. Zaytsev" <yury@shurup.com>:
Extra info received and forwarded to list. Copy sent to Gustavo Noronha Silva <kov@debian.org>. (Sat, 30 Oct 2010 22:00:03 GMT) Full text and rfc822 format available.

Message #56 received at 474024@bugs.debian.org (full text, mbox):

From: "Yury V. Zaytsev" <yury@shurup.com>
To: 474024@bugs.debian.org
Subject: Fixed upstream?
Date: Sat, 30 Oct 2010 23:36:55 +0200
Hi!

Another fine example:

$ wget ftp://ftp.freebsd.org/pub/FreeBSD/ports/distfiles/xspy-1.0c.tar.gz
$ tar -xzvf xspy-1.0c.tar.gz 
$ gcc *.c -lX11 -DNULL=0 -o xspy
$ ./xspy 

$ gksu /bin/true

Enjoy reading your password and there's even no need to ptrace anything:
just query the keymap repeatedly and that's it. Maybe worth to note,
that this "exploit" has been out there for 8 years, at least...

Considering the above, I would actually claim that gksu IS ineffective
as it is shipped now and I can't see how this issue could possibly be
fixed-upstream by applying a patch adding a warning to the man page.

Hmmm...
 
-- 
Sincerely yours,
Yury V. Zaytsev





Information forwarded to debian-bugs-dist@lists.debian.org, Gustavo Noronha Silva <kov@debian.org>:
Bug#474024; Package gksu. (Sun, 31 Oct 2010 06:42:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to 474024@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Gustavo Noronha Silva <kov@debian.org>. (Sun, 31 Oct 2010 06:42:03 GMT) Full text and rfc822 format available.

Message #61 received at 474024@bugs.debian.org (full text, mbox):

From: Josselin Mouette <joss@debian.org>
To: "Yury V. Zaytsev" <yury@shurup.com>, 474024@bugs.debian.org
Subject: Re: Bug#474024: Fixed upstream?
Date: Sun, 31 Oct 2010 07:38:55 +0100
Le samedi 30 octobre 2010 à 23:36 +0200, Yury V. Zaytsev a écrit :
> $ wget ftp://ftp.freebsd.org/pub/FreeBSD/ports/distfiles/xspy-1.0c.tar.gz
> $ tar -xzvf xspy-1.0c.tar.gz 
> $ gcc *.c -lX11 -DNULL=0 -o xspy
> $ ./xspy 
> 
> $ gksu /bin/true
> 
> Enjoy reading your password and there's even no need to ptrace anything:
> just query the keymap repeatedly and that's it. Maybe worth to note,
> that this "exploit" has been out there for 8 years, at least...
> 
> Considering the above, I would actually claim that gksu IS ineffective
> as it is shipped now and I can't see how this issue could possibly be
> fixed-upstream by applying a patch adding a warning to the man page.

If you ever believed that there is *any* way to prevent a program having
access to your session to obtain root access when you use the same
session to do stuff as root, you have been abused. It’s possible to make
things harder, but the purpose of locking keyboard and mouse is to avoid
leaking *accidentally* the password. If there is a malicious program
running in your session, you are completely screwed.

-- 
 .''`.      Josselin Mouette
: :' :
`. `'  “If you behave this way because you are blackmailed by someone,
  `-    […] I will see what I can do for you.”  -- Jörg Schilling





Information forwarded to debian-bugs-dist@lists.debian.org, Gustavo Noronha Silva <kov@debian.org>:
Bug#474024; Package gksu. (Sun, 31 Oct 2010 18:09:56 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Yury V. Zaytsev" <yury@shurup.com>:
Extra info received and forwarded to list. Copy sent to Gustavo Noronha Silva <kov@debian.org>. (Sun, 31 Oct 2010 18:09:56 GMT) Full text and rfc822 format available.

Message #66 received at 474024@bugs.debian.org (full text, mbox):

From: "Yury V. Zaytsev" <yury@shurup.com>
To: 474024@bugs.debian.org
Subject: Re: Bug#474024: Fixed upstream?
Date: Sun, 31 Oct 2010 19:58:52 +0100
Hi!

On Sun, 2010-10-31 at 07:38 +0100, Josselin Mouette wrote:

> If you ever believed that there is *any* way to prevent a program having
> access to your session to obtain root access when you use the same
> session to do stuff as root, you have been abused. 

Would you please rephrase your message in a way to make it clear what
kind of effective conclusion the reader has to make?

1) I personally have been abused and rather have to take care of a rehab
session, instead of messing with your conversations on this issue.

2) There is no way to avoid privilege escalation from non-root user to
the root user, which means that all security mechanisms are futile and
redundant, and time working on them is better spent on something else.

3) ...?

> It’s possible to make things harder, but the purpose of locking
> keyboard and mouse is to avoid leaking *accidentally* the password.
> If there is a malicious program running in your session, you are
> completely screwed.

Would you please show an example of what kind of *accidental* password
leak was in mind when the keyboard / mouse locking was developed?

My point is that the attacks described in this bug are over-complicated
comparing to the dump password sniffing using XQueryKeymap and actually
can be mitigated using SELinux and the like, whereas in what concerns
simple X attack nobody seem to care less.

However, this is a serious issue and if those kind of attacks are
mentioned in the man page, unless it is fixed, this "exploit" is the
first obvious candidate to get mentioned as well.

I am not familiar with X development, but I remember seeing a talk last
year where someone was talking about implementing a kind of "secure
desktop" for X where windows would be inaccessible by X queries from
other applications. Maybe you can refresh my memory as a Freedesktop
person...

Apart from that I guess one can at least generate garbage artificially
to confuse XQueryKeymap, in which case the password will probably be
still recoverable after statistical analysis of enough samples, but at
least it would be made way much harder than it is now.
 
-- 
Sincerely yours,
Yury V. Zaytsev





Information forwarded to debian-bugs-dist@lists.debian.org, Gustavo Noronha Silva <kov@debian.org>:
Bug#474024; Package gksu. (Mon, 08 Nov 2010 07:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Timo Juhani Lindfors <timo.lindfors@iki.fi>:
Extra info received and forwarded to list. Copy sent to Gustavo Noronha Silva <kov@debian.org>. (Mon, 08 Nov 2010 07:39:03 GMT) Full text and rfc822 format available.

Message #71 received at 474024@bugs.debian.org (full text, mbox):

From: Timo Juhani Lindfors <timo.lindfors@iki.fi>
To: "Yury V. Zaytsev" <yury@shurup.com>
Cc: 474024@bugs.debian.org, 474024-submitter@bugs.debian.org, Gustavo Noronha <kov@debian.org>
Subject: Re: Bug#474024: Fixed upstream?
Date: Mon, 08 Nov 2010 09:35:52 +0200
Hi Yury,

thank you for your interest in securing gksu/sudo and related
applications. I noticed your comments just now when I was browsing my
old bugs. Please keep 474024-submitter@bugs.debian.org in Cc if you
want the emails to reach the original submitter of the bug...

So, since I filed that bug I have been prototyping a solution and even
tried to get feedback at the "Wacky ideas" BoF at debconf9 ;-). The
key idea is that password can not be read via X but instead directly
via /dev/input/by-path/platform-i8042-serio-0-event-kbd. This is
relatively easy.

The problem is that it is not enough to read the password securely. We
also need to make sure that the command that the user intended to run
is really the command that will be run. In short: we need an
unspoofable way to show the command to the user. This seems to be very
hard. I have currently explored: switching to another virtual console
(crashy) and XGrabServer (doesn't work if some other program has
already grabbed it). My discussion with xorg people is mainly in the
thread
http://lists.freedesktop.org/archives/xorg/2010-September/051186.html

More notes are at http://iki.fi/lindi/darcs/sido/README






Message sent on to Timo Lindfors <timo.lindfors@iki.fi>:
Bug#474024. (Mon, 08 Nov 2010 07:39:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Gustavo Noronha Silva <kov@debian.org>:
Bug#474024; Package gksu. (Thu, 11 Nov 2010 20:36:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Yury V. Zaytsev" <yury@shurup.com>:
Extra info received and forwarded to list. Copy sent to Gustavo Noronha Silva <kov@debian.org>. (Thu, 11 Nov 2010 20:36:03 GMT) Full text and rfc822 format available.

Message #79 received at 474024@bugs.debian.org (full text, mbox):

From: "Yury V. Zaytsev" <yury@shurup.com>
To: Timo Juhani Lindfors <timo.lindfors@iki.fi>
Cc: 474024@bugs.debian.org, 474024-submitter@bugs.debian.org, Gustavo Noronha <kov@debian.org>
Subject: Re: Bug#474024: Fixed upstream?
Date: Thu, 11 Nov 2010 21:32:00 +0100
Hi!

On Mon, 2010-11-08 at 09:35 +0200, Timo Juhani Lindfors wrote:

> thank you for your interest in securing gksu/sudo and related
> applications. I noticed your comments just now when I was browsing my
> old bugs. Please keep 474024-submitter@bugs.debian.org in Cc if you
> want the emails to reach the original submitter of the bug...

Hmmm... that might explain why nobody replies to my calls when I am
closing old bugs. Usability of BTS is at its best! Sorry for that.

> More notes are at http://iki.fi/lindi/darcs/sido/README

That's educative. Hopefully it will resolve into something working soon.
Maybe gksu et al. authors could lend you a hand...?
 
-- 
Sincerely yours,
Yury V. Zaytsev





Information forwarded to debian-bugs-dist@lists.debian.org, Gustavo Noronha Silva <kov@debian.org>:
Bug#474024; Package gksu. (Thu, 11 Nov 2010 20:48:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Timo Juhani Lindfors <timo.lindfors@iki.fi>:
Extra info received and forwarded to list. Copy sent to Gustavo Noronha Silva <kov@debian.org>. (Thu, 11 Nov 2010 20:48:03 GMT) Full text and rfc822 format available.

Message #84 received at 474024@bugs.debian.org (full text, mbox):

From: Timo Juhani Lindfors <timo.lindfors@iki.fi>
To: "Yury V. Zaytsev" <yury@shurup.com>
Cc: 474024@bugs.debian.org, 474024-submitter@bugs.debian.org, Gustavo Noronha <kov@debian.org>
Subject: Re: Bug#474024: Fixed upstream?
Date: Thu, 11 Nov 2010 22:45:11 +0200
"Yury V. Zaytsev" <yury@shurup.com> writes:
> That's educative. Hopefully it will resolve into something working soon.
> Maybe gksu et al. authors could lend you a hand...?

Maybe but it seems that the X architecture itself is making this quite
hard.




Message sent on to Timo Lindfors <timo.lindfors@iki.fi>:
Bug#474024. (Thu, 11 Nov 2010 20:48:05 GMT) Full text and rfc822 format available.

Message sent on to Timo Lindfors <timo.lindfors@iki.fi>:
Bug#474024. (Thu, 11 Nov 2010 21:03:17 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 15:32:23 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.