Bug 470825

Summary: NM connects different users to WEP network without password demand
Product: Red Hat Enterprise Linux 5 Reporter: Vladimir Benes <vbenes>
Component: NetworkManagerAssignee: Dan Williams <dcbw>
Status: CLOSED NOTABUG QA Contact: Vladimir Benes <vbenes>
Severity: high Docs Contact:
Priority: high    
Version: 5.3CC: cmeadors, shillman, zcerza
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-11-14 10:16:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vladimir Benes 2008-11-10 14:27:54 UTC 
Description of problem:
NM allows different user to connect to WEP encrypted network without password demand.. 

Version-Release number of selected component (if applicable):
NetworkManager-0.7.0-0.11.svn4185

How reproducible:


Steps to Reproduce:
1.connect to WEP password
2.log out (doesn't matter if ctrl+alt+backspace or menu log out)
3.log in as different user

  
Actual results:
you are connected to wireless network

Expected results:
you should be disconnected and asked for password

Additional info:
Comment 1 Cameron Meadors 2008-11-13 18:58:17 UTC 
This is potentially a security bug.  It is generally a good idea that a person know the password to a password protected service (wireless network) if they are connected to it. In this case the new user may or may not know the password to the wireless network that another user previously connected to.

Network manager should verify that the password is known by the new user, either through a dialog or save on disk in a keyring.  If not, any user on the system can access a protected network and therefore protected data, without knowing the password.

I am going to proposed this on the basis that it exposed a security risk.
Comment 2 Cameron Meadors 2008-11-13 19:18:50 UTC 
Looking to see if a wireless connection was added with system-config-network.  If it is there then this bug is moot.
Comment 3 Dan Williams 2008-11-13 21:43:52 UTC 
Marking as needinfo until cameron can verify that no ifcfg connections are wifi.  ifcfg connections are expected to work before login and persist across user switches.
Comment 4 Vladimir Benes 2008-11-14 10:08:46 UTC 
hmm.. this is actually an ifcfg device (wlan0) so this bug is obviously moot. When you leave it only in NM it disconnects itself when logging out. I think it could be taken as security risk but it is also included by design :-/