[Pkg-bluetooth-maintainers] Bug#390035: bluez-utils: should not
allow all to read /etc/bluetooth/passkeys/*
Mikko Rapeli
mikko.rapeli at iki.fi
Thu Sep 28 22:22:28 UTC 2006
Package: bluez-utils
Version: 3.5-1
Severity: wishlist
*** Please type your report below this line ***
Bluetooth authentication is based on static or user given pin codes, as
you know. The actual link keys derived from the initial authentication,
pairing, are owned and readable and writable only by root:
# find /var/lib/bluetooth/ -name "link*" -ls
193295 4 -rw------- 1 root root 55 Sep 29 00:55
/var/lib/bluetooth/[btaddr]/linkkeys
Shouln't the pin codes in /etc/bluetooth/passkeys/* be readable and writable
only by root too?
# find /etc/bluetooth/passkeys -ls
15900 4 drwxr-xr-x 2 root root 4096 Sep 29 00:54
/etc/bluetooth/passkeys
16348 4 -rw-r--r-- 1 root root 8 Sep 29 00:54
/etc/bluetooth/passkeys/default
Right now all the bluez-utils daemons seem to be running as root and
user given pins should go through dbus. Thus all but root should be
denied of both read and write access to /etc/bluetooth/passkeys directory and
the default file.
I think this is not a big issue/vulnerability right now. Bluetooth
addresses are hard to forge and the pins are used in the first-time
authentication only.
-Mikko
-- System Information:
Debian Release: testing
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16-2-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages bluez-utils depends on:
ii dbus 0.92-2 simple interprocess messaging syst
ii libbluetooth2 3.5-1 Library to use the BlueZ Linux Blu
ii libc6 2.3.6.ds1-4 GNU C Library: Shared libraries
ii libdbus-1-3 0.92-2 simple interprocess messaging syst
ii libusb-0.1-4 2:0.1.12-2 userspace USB programming library
ii lsb-base 3.1-15 Linux Standard Base 3.1 init scrip
ii makedev 2.3.1-83 creates device files in /dev
ii module-init-tools 3.2.2-3 tools for managing Linux kernel mo
ii modutils 2.4.27.0-6 Linux module utilities
ii sysvinit 2.86.ds1-20 System-V-like init utilities
ii udev 0.100-1 /dev/ and hotplug management daemo
bluez-utils recommends no packages.
-- no debconf information
More information about the Pkg-bluetooth-maintainers
mailing list