Bug 141267

Summary: wallet password dialog should stay in front
Product: [Applications] kwalletmanager Reporter: Aaron Williams <aaronw>
Component: generalAssignee: Valentin Rusu <valir>
Status: CONFIRMED ---    
Severity: normal CC: antkaid+bugskde, cputtick, craig.magina, dannybaumann, gmludo, kai, kde2, kde, kdebugs, korossy, mail+kde, marc.collin, markus.blaschke, matejm98mthw, michael.hmich, mk.mateng, nate, neo6238-kde, noskule, post, public, rjvbertin, StormByte, tero.ratilainen, valir
Priority: VHI Keywords: usability
Version: unspecified   
Target Milestone: ---   
Platform: unspecified   
OS: Linux   
See Also: https://bugs.kde.org/show_bug.cgi?id=312325
https://bugs.kde.org/show_bug.cgi?id=384935
https://bugs.kde.org/show_bug.cgi?id=131430
Latest Commit: Version Fixed In:
Sentry Crash Report:
Attachments: kwalletd "make foreground" patch (for 5.60.0)

Description Aaron Williams 2007-02-06 10:21:27 UTC
Version:           1.1 (using KDE 3.5.6 "release 25.2" , openSUSE )
Compiler:          Target: x86_64-suse-linux
OS:                Linux (x86_64) release 2.6.18.2-34-default

On many occasions I have had other applications or windows pop up while I am in the process of entering my password into the kwallet dialog.  Some of these could be IMs or other windows where typing my password would be a major problem.  Kwallet should attempt to keep the wallet dialog box at the front, or have an option for that, so other applications cannot easily steal the focus away unless the user selects this.
Comment 1 Marc Collin 2007-02-07 03:07:05 UTC
it's not really a bug, but a feature you want...
Comment 2 Aaron Williams 2007-07-25 00:02:04 UTC
I consider it a bug since I could be typing in my password when another window, i.e. an IM session, pops up and my password ends up there by mistake. From a security perspective, it can be dangerous to have other windows interrupt typing a password in.
Comment 3 Michael Leupold 2008-05-06 18:46:11 UTC
*** Bug 135591 has been marked as a duplicate of this bug. ***
Comment 4 Michael Leupold 2008-06-14 16:06:54 UTC
*** Bug 145882 has been marked as a duplicate of this bug. ***
Comment 5 Christoph Feck 2011-11-24 12:58:44 UTC
*** Bug 286841 has been marked as a duplicate of this bug. ***
Comment 6 Markus Blaschke 2012-01-11 22:44:02 UTC
I agree with comment #2 .. also a "security issue" here
Comment 7 Christoph Feck 2012-04-18 19:09:02 UTC
*** Bug 298366 has been marked as a duplicate of this bug. ***
Comment 8 Bazilio 2012-05-02 06:28:28 UTC
When my system starts superkaramba intercept focus of kwallet dialog window. I always should to press Alt+Tab to get focus back on kwallet dialog.
Comment 9 Craig Magina 2012-09-28 20:49:09 UTC
This is definitely a bug. When my desktop is restoring its previous session and the prompt appears, as other applications start they steal focus, one of those happens to be quassel. Loads of fun to type your password, hit enter and realize you just posted it to a public irc channel.
Comment 10 Tim Ruffing 2012-10-24 20:23:52 UTC
Setting focus stealing prevention to extreme is a possible (but very weak) workaround.
Comment 11 Diggory Hardy 2013-01-28 15:08:15 UTC
Duplicate of #125724 ?
Comment 12 Valentin Rusu 2013-09-03 21:48:07 UTC
*** Bug 125724 has been marked as a duplicate of this bug. ***
Comment 13 michaelk83 2022-09-06 11:04:16 UTC
*** Bug 436531 has been marked as a duplicate of this bug. ***
Comment 14 michaelk83 2022-09-06 11:09:38 UTC
*** Bug 337122 has been marked as a duplicate of this bug. ***
Comment 15 michaelk83 2022-09-06 12:01:57 UTC
*** Bug 448653 has been marked as a duplicate of this bug. ***
Comment 16 michaelk83 2022-09-06 13:01:06 UTC
*** Bug 401214 has been marked as a duplicate of this bug. ***
Comment 17 Nate Graham 2022-09-06 13:06:13 UTC
*** Bug 400163 has been marked as a duplicate of this bug. ***
Comment 18 michaelk83 2022-09-06 14:17:35 UTC
*** Bug 286956 has been marked as a duplicate of this bug. ***
Comment 19 michaelk83 2022-09-06 14:21:53 UTC
*** Bug 335881 has been marked as a duplicate of this bug. ***
Comment 20 Ralf Jung 2022-11-12 15:19:07 UTC
In Gnome, the keyring password dialog is integrated with the entire session: it is not a regular window, but a prompt that blacks out the rest of the screen. I like that since it means I cannot accidentally enter my password somewhere else if weird things happen with the focus.

Maybe it'd make sense for KDE to also use that approach?
Comment 21 RJVB 2022-11-12 17:22:43 UTC
I can see how that could be an advantage to some people, but it'd be a no-go for me. If something wants me to enter a password

1) I want to be able to let that pend while I finish something else (could be watching a movie)
2) I want to be able to move the dialog, for instance to see who is requesting my password
Comment 22 Kai Krakow 2022-11-13 13:56:57 UTC
(In reply to RJVB from comment #21)
> I can see how that could be an advantage to some people, but it'd be a no-go
> for me. If something wants me to enter a password
> 
> 1) I want to be able to let that pend while I finish something else (could
> be watching a movie)
> 2) I want to be able to move the dialog, for instance to see who is
> requesting my password

I think the point here is rather about focus stealing by other applications. If a password dialog pops up and I start typing in it, I don't want other applications to steal the focus.

I had situations in the past when I started two applications by clicking two icons. The first one started fast, and the password dialog popped up, I then started entering by password while the second application finally started, stole the focus with a cursor in a chat window, and me just typing the password in the chat window and hitting enter unnoticed.

A full screen modal dialog prevents that but I'm with your opinion that we should not have this kind of modal full screen dialog. Rather, the password dialog should ensure nothing can steal its focus while the cursor sits in its input field. If I manually unfocus the input field, I don't actually care about what the dialog does, letting it pend in the background, the same as you do: to finish a task or find what is actually requesting the password.

So while the password input field is in focus, the dialog should ensure two things:

1. Not letting some other window steal its focus (maybe this needs support from the window manager)
2. Stay in front (so it doesn't go unnoticed behind other windows popping up shortly after it)

But it should also not grab focus unconditionally. Example: I'm currently typing in an editor or chat application, suddenly a password dialog pops up, grabbing focus, and I would enter a wrong password. In the best case, it would just ask again, in the worst case, it may lock an account or fail an operation you didn't want to fail. So if I am actively typing somewhere currently, the password dialog should not focus itself (or at least not focus the password field) but rather just display on top, maybe with some visual distraction like flashing the taskbar item.
Comment 23 Ralf Jung 2022-11-13 14:44:19 UTC
I regularly have the situation where I don't even notice the wallet prompt opening, and then later I wonder why my wifi does not connect. So I would definitely prefer a full-session modal dialog. This is one of the things that IMO Gnome got right. (And generally, everything security-sensitive needs a full-session modal dialog to ensure that applications cannot fake a window that looks exactly the same. That's why these kinds of dialogs are typically full-session modal on other OSes, too.)
Comment 24 RJVB 2022-11-13 15:53:53 UTC
Password dialogs aren't FS modal on MSWin nor the Mac OS (except the ones unlocking the screensaver). 

I run self-built frameworks, patched for my convenience (convictions, etc). I'll attach the one I use to ensure kwalletd always pushes its pw dialog to the front.

kwalletd doesn't run with RT priorities so occasionally it takes a while to respond on a swamped system. Thus, it does happen that I enter something unforeseen into the dialog. Preventing that is going to be very hard, but it could be an option to require a modifier to accept the entered text via the Enter/Return key. That should reduce the chances of validating an invalid PW, while still not be as invasive as requiring the mouse to be used. Alternatively, disable the Enter/Return key but support using keyboard-based navigation to activate the accept button.
Comment 25 RJVB 2022-11-13 15:55:12 UTC
Created attachment 153715 [details]
kwalletd "make foreground" patch (for 5.60.0)

Ensures that the pw dialog always opens in front.
Comment 26 Nate Graham 2024-02-26 19:04:09 UTC
*** Bug 481663 has been marked as a duplicate of this bug. ***