Bug 1342560 - KDE Screensaver exposes files of other users
Summary: KDE Screensaver exposes files of other users
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: kde-workspace
Version: 7.2
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Jan Grulich
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks: 1420851 1479818
TreeView+ depends on / blocked
 
Reported: 2016-06-03 14:12 UTC by jigar
Modified: 2018-10-26 07:58 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-10 11:31:43 UTC


Attachments (Terms of Use)
Steps to Reproduce the issue (1.27 MB, application/pdf)
2016-06-03 14:12 UTC, jigar
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0717 None None None 2018-04-10 11:33:40 UTC

Description jigar 2016-06-03 14:12:29 UTC
Created attachment 1164531 [details]
Steps to Reproduce the issue

Description of problem: The KDE screensaver allows users to choose a desktop wallpaper without supplying credentials. The wallpaper chooser dialog provides a way to open an arbitrary file browser. The file browser does not accept keyboard input, but allows the user to clear the filename extension filter and browse to anywhere on the filesystem, including automounted home directories, that the current session owner has permissions over. Moreover, the file browser contextual menu is functional, allowing the user to move files to Trash or delete. Additionally, the current session owner's KDE file browser settings are not respected, and renders icon thumbnails, including files contained within directories, resulting in automounted network directories being walked and files rendered as previews onto the containing directory icon.

How reproducible: Always


Steps to Reproduce:

Check attached file ( Steps to Reproduce) for detailed steps to reproduce with graphics

Actual results: KDE exposes files of other user's without credentials

Expected results: KDE should not expose files of other user's without credentials

Comment 2 Jan Grulich 2016-06-06 09:17:20 UTC
Should be possible to fix. I would recommend adding a password dialog once you try to open the settings when the session is locked.

Comment 5 Chad Tran 2017-03-28 20:57:07 UTC
@Jan, please clarify what you meant by adding a password dialog? I don't see the option in the screensaver setting. Please walk me through the steps.

Comment 10 Jan Grulich 2017-10-13 10:38:51 UTC
Fixed in kde-workspace-4.11.19-11.el7. As I said in comment 5, we decided to drop this option completely as it's not really trivial to fix it and make sure that no user information is exposed through the screensaver.

Comment 15 errata-xmlrpc 2018-04-10 11:31:43 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0717


Note You need to log in before you can comment on or make changes to this bug.