Bug 1215590

Summary: Showing the "Authentication Required" root prompt not immediately after clicking "Install" or "Update" in GNOME software is possibly fundamentally insecure
Product: [openSUSE] openSUSE Distribution Reporter: ell1e <el>
Component: SecurityAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None    
Version: Leap 15.5   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description ell1e 2023-09-22 01:04:22 UTC 
Showing the "Authentication Required" root prompt not immediately after clicking "Install" or "Update" in GNOME software seems to me like it is fundamentally insecure, and I would argue it destroys all security benefits this prompt might possibly bring.

The problem is that you're essentially training the user to just consent to this prompt no matter what horrible malicious actor might be showing it, since it contains zero information allowing the user to verify it was triggered by a legitimate source. I also can't think of any way you could possibly provide that information, since even if you showed the process id and name, another process could just name itself "gnome-software" and the user isn't going to remember the process id.

As a consequence, the only somewhat reliable mechanism the user has for verifying that this prompt is legitimate and not a bad actor is that the prompt showed right after they triggered an action that is actually intended. This however appears to be destroyed by delaying this prompt until the download or whatever preparation steps are complete, rather than as instant as possible after clicking the "Install" or "Update" button in GNOME software. (Because I assume nobody will be just keeping the GNOME software window and stare at it to check that the prompt happened right after some progress bar reached 100%, at least I certainly don't.)
Comment 1 ell1e 2023-11-16 23:18:21 UTC 
This is also a usability problem, because more than once I worked on something else and then without any warning completely out of the blue this prompt pops up wayy later in the middle of typing, and I accidentally type into it and confirm. This is very easy to do in a fraction of a second. The result is gnome-software just immediately aborts and deletes possibly hours worth of downloads.

This usability problem wouldn't be an issue if the prompt would come at an expected and convenient moment, for example right after clicking the "Install" button where my focus is still on that task and not way later.
Comment 2 ell1e 2023-12-05 16:06:59 UTC 
This still seems to be happening in slowroll, sadly. Would it maybe be a good idea to file a bug report for this with gnome-software upstream, or what would be the right component for this? Specifically the timing of clicking "Install" and that leading to an admin prompt being so long, rather than upfronting the admin prompt even before the download or much else is done (which IMHO would make it comparably safe from a UX/forgery standpoint).