Red Hat Bugzilla – Bug 470825
NM connects different users to WEP network without password demand
Last modified: 2008-11-14 05:16:15 EST
Description of problem:
NM allows different user to connect to WEP encrypted network without password demand..
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1.connect to WEP password
2.log out (doesn't matter if ctrl+alt+backspace or menu log out)
3.log in as different user
you are connected to wireless network
you should be disconnected and asked for password
This is potentially a security bug. It is generally a good idea that a person know the password to a password protected service (wireless network) if they are connected to it. In this case the new user may or may not know the password to the wireless network that another user previously connected to.
Network manager should verify that the password is known by the new user, either through a dialog or save on disk in a keyring. If not, any user on the system can access a protected network and therefore protected data, without knowing the password.
I am going to proposed this on the basis that it exposed a security risk.
Looking to see if a wireless connection was added with system-config-network. If it is there then this bug is moot.
Marking as needinfo until cameron can verify that no ifcfg connections are wifi. ifcfg connections are expected to work before login and persist across user switches.
hmm.. this is actually an ifcfg device (wlan0) so this bug is obviously moot. When you leave it only in NM it disconnects itself when logging out. I think it could be taken as security risk but it is also included by design :-/