Bug 706516

Summary: KDE F15 Bluetooth pared devices visible and usable by every user
Product: [Fedora] Fedora Reporter: Nikolai Maziashvili <rhbugzilla>
Component: bluedevilAssignee: Jaroslav Reznik <jreznik>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 15CC: babaj96, jreznik, kevin, ltinkl, michael, rdieter, than, vdanen
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-11-30 15:31:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Nikolai Maziashvili 2011-05-20 19:29:08 UTC 
Description of problem:
I have my phone and bluetooth mouse pared with my laptop. When i created new user (my wife in this case) she could use my mouse without :out of the box" and connect to my phone.
Her and mine pared device list was identical. 
I think it is quite a security issue. I don't think that any user must be allowed to see what devices anyone else has pared/used etc.
Just to test this i have removed all users, created new test user and it could immediately start using my mouse and pare my phone.
It seems that buetooth configuration is shared among every user on the system.


Version-Release number of selected component (if applicable):
bluedevil-1.1-2.fc15.x86_64
bluez-libs-4.87-5.fc15.x86_64
libbluedevil-1.9-0.1.20110502git.fc15.x86_64
bluez-4.87-5.fc15.x86_64


How reproducible:
Pare devices with you laptop/computer. Create new user and login to the system as new user and check from the taskbar if devices are present on the list.
Easiest way is to pear mouse and if it works while logged in as new user then ... well...

Steps to Reproduce:
1.
2.
3.
  
Actual results:
Every user has same device list.

Expected results:


Additional info:
Comment 1 Vincent Danen 2011-11-30 06:39:11 UTC 
I wouldn't consider this a security flaw.

For instance, if you plug in a USB mouse, all users on the system can use it.  It is a peripheral that is attached (whether physically or wirelessly).  If you plug in a USB stick with a filesystem on it, if you leave it plugged in, other users will be able to access it.

I don't know how KDE handles bluetooth devices, but I would be looking at turning off bluetooth on the phone when you don't need it, or disabling the bluetooth pair in KDE for when you don't need it (not sure if this possible or not, again, not familiar with KDE).

This might be something of a feature request upstream, to have per-user authorized devices, but unless upstream is advertising this support (and it's broken) I don't think you can consider this to be a security flaw.  You've attached a (wireless) peripheral to your computer and you've not unplugged it.  On a system level, it's attached and like any other peripheral, any user can use it while it's attached.  (Think of a bluetooth keyboard and mouse -- it's attached at the system level, not a per-user level, so it can be used by all users.  To prevent that, you either take away the keyboard and mouse so it's out of range or you turn them off.  I think you need to do the same with the phone).
Comment 2 Kevin Kofler 2011-11-30 15:31:06 UTC 
Agreed, this is not a security bug (or even a bug at all), please file a wishlist bug at bugs.kde.org.

(IMHO, we can open this one up to the public, but I don't seem to have the necessary privileges for that.)
Comment 3 Vincent Danen 2011-11-30 17:23:00 UTC 
After some discussion with some other peers, we've determined this isn't a security flaw (and I suspect the same problem would persist with either GNOME or KDE, etc.).  This might be worth filing as an RFE with upstream to see if this can even be done (per-user bluetooth device assignments). 

I'm going to close this as NOTABUG in the sense that it is not a security flaw.  If you want to re-open it or (preferably) file a new bug as an RFE, that would make more sense.