Gordon Messmer
2020-Jan-14 00:35 UTC
[CentOS] Limiting what devices can pair over Bluetooth?
On 1/13/20 2:26 AM, James Pearson wrote:> Which is a pity, as it's either an all or nothing with Bluetooth, > which means we can't use Bluetooth for Wacom tablets without opening > up access to file transfer over Bluetooth as well ...What is the threat you're trying to mitigate, specifically?? I don't see how pairing a tablet would allow file transfers.? An unauthorized device can't unilaterally pair with your system.
James Pearson
2020-Jan-14 10:27 UTC
[CentOS] Limiting what devices can pair over Bluetooth?
Gordon Messmer wrote:> > On 1/13/20 2:26 AM, James Pearson wrote: >> Which is a pity, as it's either an all or nothing with Bluetooth, >> which means we can't use Bluetooth for Wacom tablets without opening >> up access to file transfer over Bluetooth as well ... > > > What is the threat you're trying to mitigate, specifically?? I don't see > how pairing a tablet would allow file transfers.? An unauthorized device > can't unilaterally pair with your system.If you enable Bluetooth on a workstation (by starting the 'bluetooth' service), then a normal user on the workstation can (for example) transfer files to/from a mobile phone - which is something we don't allow Users don't have to have any special perms to do this - users can pair with any Bluetooth devices they want i.e. it isn't possible to control what a user can and can't do with Bluetooth - so it isn't possible to allow pairing with just particular (or classes of) Bluetooth devices James Pearson
On 14/01/2020 10:27, James Pearson wrote:> Gordon Messmer wrote: >> >> On 1/13/20 2:26 AM, James Pearson wrote: >>> Which is a pity, as it's either an all or nothing with Bluetooth, >>> which means we can't use Bluetooth for Wacom tablets without opening >>> up access to file transfer over Bluetooth as well ... >> >> >> What is the threat you're trying to mitigate, specifically?? I don't see >> how pairing a tablet would allow file transfers.? An unauthorized device >> can't unilaterally pair with your system. > If you enable Bluetooth on a workstation (by starting the 'bluetooth' > service), then a normal user on the workstation can (for example) > transfer files to/from a mobile phone - which is something we don't allow > > Users don't have to have any special perms to do this - users can pair > with any Bluetooth devices they want > > i.e. it isn't possible to control what a user can and can't do with > Bluetooth - so it isn't possible to allow pairing with just particular > (or classes of) Bluetooth devices >Is it possible to control behaviour with udev rules?