| Summary: | KDE Screensaver exposes files of other users | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | jigar <jraising> | ||||
| Component: | kde-workspace | Assignee: | Jan Grulich <jgrulich> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Desktop QE <desktop-qa-list> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.2 | CC: | gtran09, jgrulich, jkoten, ptoshniw, tpelka | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2018-04-10 11:31:43 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | ||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1420851, 1479818 | ||||||
| Attachments: |
|
||||||
Should be possible to fix. I would recommend adding a password dialog once you try to open the settings when the session is locked. @Jan, please clarify what you meant by adding a password dialog? I don't see the option in the screensaver setting. Please walk me through the steps. Fixed in kde-workspace-4.11.19-11.el7. As I said in comment 5, we decided to drop this option completely as it's not really trivial to fix it and make sure that no user information is exposed through the screensaver. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0717 |
Created attachment 1164531 [details] Steps to Reproduce the issue Description of problem: The KDE screensaver allows users to choose a desktop wallpaper without supplying credentials. The wallpaper chooser dialog provides a way to open an arbitrary file browser. The file browser does not accept keyboard input, but allows the user to clear the filename extension filter and browse to anywhere on the filesystem, including automounted home directories, that the current session owner has permissions over. Moreover, the file browser contextual menu is functional, allowing the user to move files to Trash or delete. Additionally, the current session owner's KDE file browser settings are not respected, and renders icon thumbnails, including files contained within directories, resulting in automounted network directories being walked and files rendered as previews onto the containing directory icon. How reproducible: Always Steps to Reproduce: Check attached file ( Steps to Reproduce) for detailed steps to reproduce with graphics Actual results: KDE exposes files of other user's without credentials Expected results: KDE should not expose files of other user's without credentials