Bug 470825
Summary: | NM connects different users to WEP network without password demand | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Vladimir Benes <vbenes> |
Component: | NetworkManager | Assignee: | Dan Williams <dcbw> |
Status: | CLOSED NOTABUG | QA Contact: | Vladimir Benes <vbenes> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 5.3 | CC: | cmeadors, shillman, zcerza |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-11-14 10:16:15 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Vladimir Benes
2008-11-10 14:27:54 UTC
This is potentially a security bug. It is generally a good idea that a person know the password to a password protected service (wireless network) if they are connected to it. In this case the new user may or may not know the password to the wireless network that another user previously connected to. Network manager should verify that the password is known by the new user, either through a dialog or save on disk in a keyring. If not, any user on the system can access a protected network and therefore protected data, without knowing the password. I am going to proposed this on the basis that it exposed a security risk. Looking to see if a wireless connection was added with system-config-network. If it is there then this bug is moot. Marking as needinfo until cameron can verify that no ifcfg connections are wifi. ifcfg connections are expected to work before login and persist across user switches. hmm.. this is actually an ifcfg device (wlan0) so this bug is obviously moot. When you leave it only in NM it disconnects itself when logging out. I think it could be taken as security risk but it is also included by design :-/ |