| Summary: | KDE F15 Bluetooth pared devices visible and usable by every user | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Nikolai Maziashvili <rhbugzilla> |
| Component: | bluedevil | Assignee: | Jaroslav Reznik <jreznik> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 15 | CC: | babaj96, jreznik, kevin, ltinkl, michael, rdieter, than, vdanen |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-11-30 15:31:06 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Nikolai Maziashvili
2011-05-20 19:29:08 UTC
I wouldn't consider this a security flaw. For instance, if you plug in a USB mouse, all users on the system can use it. It is a peripheral that is attached (whether physically or wirelessly). If you plug in a USB stick with a filesystem on it, if you leave it plugged in, other users will be able to access it. I don't know how KDE handles bluetooth devices, but I would be looking at turning off bluetooth on the phone when you don't need it, or disabling the bluetooth pair in KDE for when you don't need it (not sure if this possible or not, again, not familiar with KDE). This might be something of a feature request upstream, to have per-user authorized devices, but unless upstream is advertising this support (and it's broken) I don't think you can consider this to be a security flaw. You've attached a (wireless) peripheral to your computer and you've not unplugged it. On a system level, it's attached and like any other peripheral, any user can use it while it's attached. (Think of a bluetooth keyboard and mouse -- it's attached at the system level, not a per-user level, so it can be used by all users. To prevent that, you either take away the keyboard and mouse so it's out of range or you turn them off. I think you need to do the same with the phone). Agreed, this is not a security bug (or even a bug at all), please file a wishlist bug at bugs.kde.org. (IMHO, we can open this one up to the public, but I don't seem to have the necessary privileges for that.) After some discussion with some other peers, we've determined this isn't a security flaw (and I suspect the same problem would persist with either GNOME or KDE, etc.). This might be worth filing as an RFE with upstream to see if this can even be done (per-user bluetooth device assignments). I'm going to close this as NOTABUG in the sense that it is not a security flaw. If you want to re-open it or (preferably) file a new bug as an RFE, that would make more sense. |