Bug 408581

Summary: Bluetooth (audio) should not be shared in multi-user environment
Product: [Unmaintained] Bluedevil Reporter: Simone Gaiarin <simgunz>
Component: generalAssignee: David Rosca <nowrep>
Status: RESOLVED UPSTREAM    
Severity: normal    
Priority: NOR    
Version First Reported In: 5.15.5   
Target Milestone: ---   
Platform: Other   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description Simone Gaiarin 2019-06-11 19:00:43 UTC 
SUMMARY
When a bluetooth device is added to the 'bluetooth device' system settings module, the device is added for all the users of the system.

This implies a security risk. Another user could for example access my phone through bluetooth.

Moreover if two users are logged in at the same time and there is a bluetooth audio device available, this device is shown as connected to both users, but only one of them (at random) is able to output audio to it (could be the one that is not currently active). Not only this, but the other user can listen to the audio stream coming from the session of the other user.

STEPS TO REPRODUCE
1. Log in with user1
2. Pair a bluetooth audio device
3. Play music through the device
4. Switch session, and log in with user2

OBSERVED RESULT
User2 can see that the (audio) device has been paired and use it. Audio from user1 is audible through the audio device.

EXPECTED RESULT
User2 has its own list of bluetooth devices and does not see those of other users.

SOFTWARE/OS VERSIONS
Operating System: Manjaro Linux 
KDE Plasma Version: 5.15.5
KDE Frameworks Version: 5.58.0
Qt Version: 5.12.3
Kernel Version: 4.19.45-1-MANJARO
OS Type: 64-bit
Comment 1 David Rosca 2019-06-13 16:30:48 UTC 
That's how BlueZ works. You should report it there.