Package: bluez-utils Version: 3.5-1 Severity: wishlist *** Please type your report below this line ***
Bluetooth authentication is based on static or user given pin codes, as you know. The actual link keys derived from the initial authentication, pairing, are owned and readable and writable only by root: # find /var/lib/bluetooth/ -name "link*" -ls 193295 4 -rw------- 1 root root 55 Sep 29 00:55 /var/lib/bluetooth/[btaddr]/linkkeys Shouln't the pin codes in /etc/bluetooth/passkeys/* be readable and writable only by root too? # find /etc/bluetooth/passkeys -ls 15900 4 drwxr-xr-x 2 root root 4096 Sep 29 00:54 /etc/bluetooth/passkeys 16348 4 -rw-r--r-- 1 root root 8 Sep 29 00:54 /etc/bluetooth/passkeys/default Right now all the bluez-utils daemons seem to be running as root and user given pins should go through dbus. Thus all but root should be denied of both read and write access to /etc/bluetooth/passkeys directory and the default file. I think this is not a big issue/vulnerability right now. Bluetooth addresses are hard to forge and the pins are used in the first-time authentication only. -Mikko -- System Information: Debian Release: testing APT prefers testing APT policy: (500, 'testing'), (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.16-2-686 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages bluez-utils depends on: ii dbus 0.92-2 simple interprocess messaging syst ii libbluetooth2 3.5-1 Library to use the BlueZ Linux Blu ii libc6 2.3.6.ds1-4 GNU C Library: Shared libraries ii libdbus-1-3 0.92-2 simple interprocess messaging syst ii libusb-0.1-4 2:0.1.12-2 userspace USB programming library ii lsb-base 3.1-15 Linux Standard Base 3.1 init scrip ii makedev 2.3.1-83 creates device files in /dev ii module-init-tools 3.2.2-3 tools for managing Linux kernel mo ii modutils 2.4.27.0-6 Linux module utilities ii sysvinit 2.86.ds1-20 System-V-like init utilities ii udev 0.100-1 /dev/ and hotplug management daemo bluez-utils recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]