Created attachment 1164531 [details]
Steps to Reproduce the issue
Description of problem: The KDE screensaver allows users to choose a desktop wallpaper without supplying credentials. The wallpaper chooser dialog provides a way to open an arbitrary file browser. The file browser does not accept keyboard input, but allows the user to clear the filename extension filter and browse to anywhere on the filesystem, including automounted home directories, that the current session owner has permissions over. Moreover, the file browser contextual menu is functional, allowing the user to move files to Trash or delete. Additionally, the current session owner's KDE file browser settings are not respected, and renders icon thumbnails, including files contained within directories, resulting in automounted network directories being walked and files rendered as previews onto the containing directory icon.
How reproducible: Always
Steps to Reproduce:
Check attached file ( Steps to Reproduce) for detailed steps to reproduce with graphics
Actual results: KDE exposes files of other user's without credentials
Expected results: KDE should not expose files of other user's without credentials
Should be possible to fix. I would recommend adding a password dialog once you try to open the settings when the session is locked.
@Jan, please clarify what you meant by adding a password dialog? I don't see the option in the screensaver setting. Please walk me through the steps.
Fixed in kde-workspace-4.11.19-11.el7. As I said in comment 5, we decided to drop this option completely as it's not really trivial to fix it and make sure that no user information is exposed through the screensaver.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.