Why KDE screensaver exposes files by default without providing any credentials?
Issue
- The KDE screensaver allows users to choose a file without supplying credentials such as the file browser does not accept keyboard input, but allows the user to clear the filename extension filter and browse to anywhere on the filesystem, including automounted home directories, that the current session owner has permissions over. Moreover, the file browser contextual menu is functional, allowing the user to move files to Trash or delete. Additionally, the current session owner's KDE file browser settings are not respected, and renders icon thumbnails, including files contained within directories, resulting in automounted network directories being walked and files rendered as previews onto the containing directory icon.
Environment
- Red Hat Enterprise Linux 7
- KDE
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.