Bug 1342560

Summary: KDE Screensaver exposes files of other users
Product: Red Hat Enterprise Linux 7 Reporter: jigar <jraising>
Component: kde-workspaceAssignee: Jan Grulich <jgrulich>
Status: CLOSED ERRATA QA Contact: Desktop QE <desktop-qa-list>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.2CC: gtran09, jgrulich, jkoten, ptoshniw, tpelka
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 11:31:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 1420851, 1479818    
Attachments:
Description Flags
Steps to Reproduce the issue none

Description jigar 2016-06-03 14:12:29 UTC
Created attachment 1164531 [details]
Steps to Reproduce the issue

Description of problem: The KDE screensaver allows users to choose a desktop wallpaper without supplying credentials. The wallpaper chooser dialog provides a way to open an arbitrary file browser. The file browser does not accept keyboard input, but allows the user to clear the filename extension filter and browse to anywhere on the filesystem, including automounted home directories, that the current session owner has permissions over. Moreover, the file browser contextual menu is functional, allowing the user to move files to Trash or delete. Additionally, the current session owner's KDE file browser settings are not respected, and renders icon thumbnails, including files contained within directories, resulting in automounted network directories being walked and files rendered as previews onto the containing directory icon.

How reproducible: Always


Steps to Reproduce:

Check attached file ( Steps to Reproduce) for detailed steps to reproduce with graphics

Actual results: KDE exposes files of other user's without credentials

Expected results: KDE should not expose files of other user's without credentials

Comment 2 Jan Grulich 2016-06-06 09:17:20 UTC
Should be possible to fix. I would recommend adding a password dialog once you try to open the settings when the session is locked.

Comment 5 Chad Tran 2017-03-28 20:57:07 UTC
@Jan, please clarify what you meant by adding a password dialog? I don't see the option in the screensaver setting. Please walk me through the steps.

Comment 10 Jan Grulich 2017-10-13 10:38:51 UTC
Fixed in kde-workspace-4.11.19-11.el7. As I said in comment 5, we decided to drop this option completely as it's not really trivial to fix it and make sure that no user information is exposed through the screensaver.

Comment 15 errata-xmlrpc 2018-04-10 11:31:43 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0717