Created attachment 5281 Photo of situation I'm reporting here on request from the openSUSE package maintainer. See https://bugzilla.novell.com/show_bug.cgi?id=856773#c3 I'm using XFCE 4.10.0 on openSUSE 13.1 Description: I click on hibernate. The system requests root's password to continue action, but this modal dialog is displayed _behind_ the dialog asking the user to select hibernate, logout, reset, etc, and neither dialog can be moved with the mouse. The password has to be typed blindly. I will attempt to attach a photo showing this situation.
Just to clarify, the dialog is a PolicyKit agent (in this case the GNOME one). Depending on the PolicyKit configuration, Shutdown/Reboot/Suspend/Hibernate via ConsoleKit or systemd may require authentication through a PolicyKit agent. xfce4-session calls the corresponding DBus methods synchronously which brings up the authentication agent while the modal logout dialog is still in the foreground making it impossible to interact with the agent.
@Guido: While I haven't been able to reproduce this issue, do I understand you correctly in that you're suggesting the shutdown dialog shouldn't be modal anymore to solve this?
(In reply to Simon Steinbeiss from comment #2) > @Guido: While I haven't been able to reproduce this issue, do I understand It's quite simple to reproduce, just take a polkit action associated with a ConsoleKit or logind DBus method used by the Log-out dialog, e.g. org.freedesktop.login1.power-off for poweroff via logind, then configure polkit to require authentication of the active user with the root password for it (auth_admin). Now if you have a polkit agent installed like gnome-polkit it'll come up and request the root password each time you call that DBus method, in case of the Log-Out dialog it happens to be behind the overlay window. > you correctly in that you're suggesting the shutdown dialog shouldn't be > modal anymore to solve this? Yeah, I guess removing the semi-transparent overlay window and keyboard grab after the user has clicked a button and before calling any DBus method synchronously would probably mitigate the issue, that is the polkit agent's window should be usable. Of course the real issue is that Xfce uses DBus/polkit but lacks an integrated polkit-agent.
From a security perspective, we should be able to guarantee that we take the user from the Xfce shutdown dialog where they clicked to the proper PolicyKit agent asking for their password, rather than just let any dialog come up and ask for passwords. This is rather hard if we don't control the PolicyKit agent in use. We can't do much about malware creating modal spoofs of the polkit agent (this is an impossible problem under X11) but can we at least wait until we know the agent is done spawning before releasing modality on the Xfce dialog? Question: does the Xfce shutdown dialog need to be re-displayed after a successful / failed interaction with the agent? Or do we consider that the agent is in charge of providing feedback on the outcome of the user clicking on "Hibernate"? Maybe it's better to just remove the dialog at this point.
(In reply to Steve Dodier-Lazaro from comment #4) > From a security perspective, we should be able to guarantee that we take the > user from the Xfce shutdown dialog where they clicked to the proper > PolicyKit agent asking for their password, rather than just let any dialog > come up and ask for passwords. This is rather hard if we don't control the > PolicyKit agent in use. Yes, if you want to address this properly, you'd need to integrate a polkit agent int xfce4-session. Given current manpower some simple workaround is probably the best we can do right now and I'm happy at least someone takes care of that. > We can't do much about malware creating modal spoofs of the polkit agent > (this is an impossible problem under X11) but can we at least wait until we > know the agent is done spawning before releasing modality on the Xfce dialog? It is not an impossible problem under X11 but it requires tight integration with supporting security features of the underlying OS, e.g. Trusted Solaris addressed this problem years ago. But given the current state of affairs it is impossible for the Log-Out dialog to know when the polkit agent's window is mapped since it is DBus actiavted. Apart from that, neither of the dialogs are really "modal" anyway so this does not change anything in terms of security. > Question: does the Xfce shutdown dialog need to be re-displayed after a > successful / failed interaction with the agent? Or do we consider that the > agent is in charge of providing feedback on the outcome of the user clicking > on "Hibernate"? Maybe it's better to just remove the dialog at this point. Re-displaying it seems kind of pointless, we could pop up an error like when e.g. session management blocks logout/shutdown/reboot if we don't just want to hope for the best that the polkit-agent provides reasonable feedback.
There is a fairly simple workaround for this situation, which is to use the "Action Buttons" plugin of the panel and using the "Hibernate" menu-item from there. It spawns a normal GtkDialog that doesn't block input to any other window and should therefore allow a user to enter his/her password. @Guido: So if you're ok with it, I'd prefer it if we could demote this bug and drop it from the list of critical bugs for 4.12.
(In reply to Simon Steinbeiss from comment #6) > There is a fairly simple workaround for this situation, which is to use the > "Action Buttons" plugin of the panel and using the "Hibernate" menu-item > from there. It spawns a normal GtkDialog that doesn't block input to any > other window and should therefore allow a user to enter his/her password. > > @Guido: So if you're ok with it, I'd prefer it if we could demote this bug > and drop it from the list of critical bugs for 4.12. Well if nobody is going to address it before the release, then yeah sure. However, given the above and the fact that there is already a codepath disabling the screen-modality when accessibilty methods are active, would it be accptable if I came up with a path that always disables the keyboard grab and background screenshot for now until this is properly redesigned?
At this stage and given there's no way for us to build security whatsoever against spoofs (X11, D-Bus activated third-party app), I would drop the modality of the dialog and do a release to avoid users getting stuck? For 4.14, we could talk to the GNOME devs to have a way of identifying this agent's window id and putting it on the foreground, at least when using xfwm?
Maybe we should explore making this part of the session: https://github.com/ncopa/xfce-polkit
-- GitLab Migration Automatic Message -- This bug has been migrated to xfce.org's GitLab instance and has been closed from further activity. You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.xfce.org/xfce/xfce4-session/-/issues/20. Please create an account or use an existing account on one of our supported OAuth providers. If you want to fork to submit patches and merge requests please continue reading here: https://docs.xfce.org/contribute/dev/git/start#gitlab_forks_and_merge_requests Also feel free to reach out to us on the mailing list https://mail.xfce.org/mailman/listinfo/xfce4-dev