Bug 431227

Summary: discover: dont ask for password all the time
Product: [Applications] Discover Reporter: Martin Zbořil <kdebugzilla>
Component: discoverAssignee: Dan Leinir Turthra Jensen <leinir>
Status: RESOLVED INTENTIONAL    
Severity: wishlist CC: aleixpol, nate
Priority: NOR    
Version First Reported In: 5.18.5   
Target Milestone: ---   
Platform: Kubuntu   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description Martin Zbořil 2021-01-06 13:24:01 UTC 
SUMMARY
Hi! i really like discover and muon, its is a decent replacement of synaptic (and that other not so useful thing) but when using discover for actual administration, i noticed that it asks for passwords a lot lot, is this intended behaviour? wouldn't it be better to act like sudo and don't ask for a password <5minutes since last prompt?

STEPS TO REPRODUCE
1. start installing/removing packages in discover - fill password
2. while ongoing, do another one - fill password
3. repeat step 2 and have to fill password all that time again and again without thinking into every input field poping up.

OBSERVED RESULT


EXPECTED RESULT


SOFTWARE/OS VERSIONS
Windows: 
macOS: 
Linux/KDE Plasma: 
(available in About System)
KDE Plasma Version: 
KDE Frameworks Version: 
Qt Version: 

ADDITIONAL INFORMATION
Comment 1 Nate Graham 2021-01-06 16:01:57 UTC 
No, I'm afraid not. If Discover asked for your password once when it launched, then during the whole time the app was open, it would have full access to the entire system. That's considered a security risk today. It's far safer to have apps ask for authentication for only the minimum set of actions they need to complete the user's requests.
Comment 2 Martin Zbořil 2021-01-10 13:36:00 UTC 
ok, as you think, however i believe that if you ask your users to fill passwords a lot, then  they will make sure to have easy/no passwords and they will type it everywhere as a reflex - just by avoiding this security risk you may be ruining security as whole.
Comment 3 Martin Zbořil 2021-01-10 13:46:45 UTC 
i've read your answer again and believe that you did not answered my question - i specifically mentioned sudo behaviour - not root forever, but 5 minutes of root-only operations without password prompt again - just as sudo - it runs, it ends, if you need it again you type sudo and if its within time limit and such, it does not ask for the password again.. do you think that sudo is a security risk?
Comment 4 Nate Graham 2021-01-11 06:08:08 UTC 
Those are questions for your distro, which determines the timeout duration as a part of its security policies. All Discover does is honor those settings.