Bug#390035: bluez-utils: should not allow all to read /etc/bluetooth/passkeys/*

Thu, 28 Sep 2006 15:56:25 -0700 

Package: bluez-utils
Version: 3.5-1
Severity: wishlist

*** Please type your report below this line ***

Bluetooth authentication is based on static or user given pin codes, as
you know. The actual link keys derived from the initial authentication,
pairing, are owned and readable and writable only by root:

# find /var/lib/bluetooth/ -name "link*" -ls
193295    4 -rw-------   1 root     root           55 Sep 29 00:55
/var/lib/bluetooth/[btaddr]/linkkeys

Shouln't the pin codes in /etc/bluetooth/passkeys/* be readable and writable 
only by root too?

# find /etc/bluetooth/passkeys -ls
 15900    4 drwxr-xr-x   2 root     root         4096 Sep 29 00:54
/etc/bluetooth/passkeys
 16348    4 -rw-r--r--   1 root     root            8 Sep 29 00:54
/etc/bluetooth/passkeys/default

Right now all the bluez-utils daemons seem to be running as root and
user given pins should go through dbus. Thus all but root should be
denied of both read and write access to /etc/bluetooth/passkeys directory and 
the default file.

I think this is not a big issue/vulnerability right now. Bluetooth
addresses are hard to forge and the pins are used in the first-time
authentication only.

-Mikko

-- System Information:
Debian Release: testing
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16-2-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages bluez-utils depends on:
ii  dbus                         0.92-2      simple interprocess messaging syst
ii  libbluetooth2                3.5-1       Library to use the BlueZ Linux Blu
ii  libc6                        2.3.6.ds1-4 GNU C Library: Shared libraries
ii  libdbus-1-3                  0.92-2      simple interprocess messaging syst
ii  libusb-0.1-4                 2:0.1.12-2  userspace USB programming library
ii  lsb-base                     3.1-15      Linux Standard Base 3.1 init scrip
ii  makedev                      2.3.1-83    creates device files in /dev
ii  module-init-tools            3.2.2-3     tools for managing Linux kernel mo
ii  modutils                     2.4.27.0-6  Linux module utilities
ii  sysvinit                     2.86.ds1-20 System-V-like init utilities
ii  udev                         0.100-1     /dev/ and hotplug management daemo

bluez-utils recommends no packages.

-- no debconf information


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to