[pkg-wpa-devel] Bug#728092: Bug#728092: ifupdown: ifup -v displays wpa-password in cleartext

Mon Oct 28 17:32:50 UTC 2013

Control: severity -1 minor

Hi

On Monday 28 October 2013, Andrew Shadura wrote:
> Hi,
> 
> One more thought: wpasupplicant.conf may be what you want.

Using a wpasupplicant.conf should indeed avoid this, e.g.:

allow-hotplug wlan0
iface wlan0 inet manual
        wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf

iface xyz-work inet dhcp

See /usr/share/doc/wpa_supplicant/README.Debian.gz and the examples
under that directory for details.

While I currently don't have access to wpa-enterprise encrypted 
networks, all you should end up seeing via "ifup -v" is something 
like:

Configuring interface wlan0=wlan0 (inet)
[…]
run-parts: executing /etc/network/if-pre-up.d/wpasupplicant
wpa_supplicant: wait for wpa_cli to attach
wpa_supplicant: wpa-driver nl80211,wext (default)
wpa_supplicant: /sbin/wpa_supplicant -s -B -P /var/run/wpa_supplicant.wlan0.pid -i wlan0 -W -D nl80211,wext -c /etc/wpa_supplicant/wpa_supplicant.conf
Starting /sbin/wpa_supplicant...
wpa_supplicant: creating sendsigs omission pidfile: /run/sendsigs.omit.d/wpasupplicant.wpa_supplicant.wlan0.pid
wpa_supplicant: ctrl_interface socket located at /var/run/wpa_supplicant/wlan0
[…]
run-parts: executing /etc/network/if-up.d/wpasupplicant
wpa_supplicant: /sbin/wpa_cli -B -P /var/run/wpa_action.wlan0.pid -i wlan0 -p /var/run/wpa_supplicant -a /sbin/wpa_action
Starting /sbin/wpa_cli...

I'm adjusting the severity of this bug to minor, as an ordinary user 
can't query this information. Actually I'm not quite sure if it 
qualifies for a security tag either, but I'll keep that for the time
being.

$ /sbin/ifup -v wlan0
/sbin/ifup: failed to open lockfile /run/network/.ifstate.lock: Permission denied

You have to elevate its capabilities to root (via sudo) - at this point
the user has been granted unresticted access to ifup and its options 
anyways, including access to the wireless credentials.

While I will audit the wpa_supplicant hooks into ifupdown again (as
there are several changes planned anyways[1]), it would help me if you
could provide the full, obfuscated(!) (replace your password and other 
private information with XXXXX), results of ifup -v for a 
wpa-enterprise network.

As an, unrelated, remark, it's usually best not to mix the wireless-* 
and wpa-* namespace for the same interface stanza, although doing so
shouldn't be harmful -as long as the settings agree-, doing so might
create subtile race conditions between wireless-tools and 
wpa_supplicant trying to configure the interface (you only get away
with this, because wireless-tools is more or less state-less and not
a dæmon).

Regards
	Stefan Lippers-Hollmann

[1]	better DBus coexistence and #728092
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-wpa-devel/attachments/20131028/d3f7bdd4/attachment.sig>