Bug 496247
Summary: | NetworkManager-0.7 onwards lets you create ad-hoc network with no security | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Saurabh Bathe <sbathe> |
Component: | NetworkManager | Assignee: | Dan Williams <dcbw> |
Status: | CLOSED ERRATA | QA Contact: | desktop-bugs <desktop-bugs> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 5.3 | CC: | caillon, cmeadors, cward, huzaifas, k.georgiou, msanders, peterm, rryder, tao |
Target Milestone: | rc | Keywords: | FutureFeature, OtherQA, Triaged |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Enhancement | |
Doc Text: |
NetworkManager allowed users to create completely insecure ad-hoc wireless networks and indeed, the default security setting for wifi sharing was "none". Because of this default setting and because NetworkManager did not warn users of the potential security risks, users could unwittingly compromise the security of their computers. Now, NetworkManager uses "WEP Passphrase" as the default security option for creating a new wifi network, and allows administrators to disable users' ability to share wifi connections without security in place, or their ability to share wifi connections at all. These measures make it less likely that a user could inadvertently compromise a sensitive system.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2009-09-02 11:53:53 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 518583 | ||
Attachments: |
Description
Saurabh Bathe
2009-04-17 14:23:52 UTC
So a nice thing would be 1. change default security option to something encrypted 2. provide an administrator option to disallow wifi sharing and possibly alert the user more strongly Created attachment 340712 [details]
Patch allowing administrators to disable wifi sharing
This patch recognizes the following two options in /etc/sysconfig/network:
NM_WIFI_OPEN_SHARING_ALLOWED=no
- disables creating *open* shared wifi networks
NM_WIFI_SHARING_ALLOWED=no
- disables wifi sharing altogether
I realize now I also need an additional patch to ensure that these permissions are applied to autoconnect networks in NetworkManagerPolicy.c, but those networks wouldn't be successfully activated due to the permissions checks in nm-manager.c so it's not a huge problem. In the mean time, please test this patch.
Seems to be a bit flaky, worked for the first time, but does not work once its removed and again added to /etc/sysconfig/network Will post more concrete test results in a day. Created attachment 340726 [details]
Updated patch that ensures existing shared wifi networks are subject ot permissions checks when auto-activating a connection
Expected behavior: The applet will immediately update its UI when the values in /etc/sysconfig/network change. If NM_WIFI_SHARING_ALLOWED=no the "Create new wifi network" will be grayed out, and no shared wifi connections should be visible in the "Connect to hidden..." dialog's "Connection" combo box. If NM_WIFI_OPEN_SHARING_ALLOWED=no the "Create new wifi network" dialog will not have the "None" option in the "Security" combo box, and no open wifi network will show up in either the "Create..." or "Hidden.." dialog's "Connection" combo box. In addition, "WEP Passphrase" should *always* be the default option in the "Create new wifi network..." dialog. For NetworkManager itself, permissions changes will not apply to currently active connections, i.e. if you currently have an active shared wifi connection, setting NM_WIFI_SHARING_ALLOWED=no will not immediately terminate the connection, but that connection should no longer activate successfully. Additionally, existing shared wifi connections in GConf should not be automatically chosen (if they are marked autoconnect=true) when you use the second patch (#340726). Note the second patch is fuzzy. you some how seemed to have missed #include <NetworkManager.h> I have included a patch, so if you use 2nd and my patch the rpm builds and works :) Created attachment 340906 [details]
patch to include NetworkManager.h
So the functionality and operation works for you then? Please confirm that this patch provides the functionality you request so we can proceed with it in RHEL 5.4. Patches applied to NetworkManager-0.7.0-6.el5 (In reply to comment #12) > Please confirm that this patch provides the functionality you request so we can > proceed with it in RHEL 5.4. yes it works. Release note added. If any revisions are required, please set the "requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: NetworkManager allowed users to create completely insecure ad-hoc wireless networks and indeed, the default security setting for wifi sharing was "none". Because of this default setting and because NetworkManager did not warn users of the potential security risks, users could unwittingly compromise the security of their computers. Now, NetworkManager uses "WEP Passphrase" as the default security option for creating a new wifi network, and allows administrators to disable users' ability to share wifi connections without security in place, or their ability to share wifi connections at all. These measures make it less likely that a user could inadvertently compromise a sensitive system. ~~ Attention - RHEL 5.4 Beta Released! ~~ RHEL 5.4 Beta has been released! There should be a fix present in the Beta release that addresses this particular request. Please test and report back results here, at your earliest convenience. RHEL 5.4 General Availability release is just around the corner! If you encounter any issues while testing Beta, please describe the issues you have encountered and set the bug into NEED_INFO. If you encounter new issues, please clone this bug to open a new issue and request it be reviewed for inclusion in RHEL 5.4 or a later update, if it is not of urgent severity. Please do not flip the bug status to VERIFIED. Only post your verification results, and if available, update Verified field with the appropriate value. Questions can be posted to this bug or your customer or partner representative. ~~ Attention Partners - RHEL 5.4 Snapshot 1 Released! ~~ RHEL 5.4 Snapshot 1 has been released on partners.redhat.com. If you have already reported your test results, you can safely ignore this request. Otherwise, please notice that there should be a fix available now that addresses this particular request. Please test and report back your results here, at your earliest convenience. The RHEL 5.4 exception freeze is quickly approaching. If you encounter any issues while testing Beta, please describe the issues you have encountered and set the bug into NEED_INFO. If you encounter new issues, please clone this bug to open a new issue and request it be reviewed for inclusion in RHEL 5.4 or a later update, if it is not of urgent severity. Do not flip the bug status to VERIFIED. Instead, please set your Partner ID in the Verified field above if you have successfully verified the resolution of this issue. Further questions can be directed to your Red Hat Partner Manager or other appropriate customer representative. ~~ Attention Partners - RHEL 5.4 Snapshot 5 Released! ~~ RHEL 5.4 Snapshot 5 is the FINAL snapshot to be release before RC. It has been released on partners.redhat.com. If you have already reported your test results, you can safely ignore this request. Otherwise, please notice that there should be a fix available now that addresses this particular issue. Please test and report back your results here, at your earliest convenience. If you encounter any issues while testing Beta, please describe the issues you have encountered and set the bug into NEED_INFO. If you encounter new issues, please clone this bug to open a new issue and request it be reviewed for inclusion in RHEL 5.4 or a later update, if it is not of urgent severity. If it is urgent, escalate the issue to your partner manager as soon as possible. There is /very/ little time left to get additional code into 5.4 before GA. Partners, after you have verified, do not flip the bug status to VERIFIED. Instead, please set your Partner ID in the Verified field above if you have successfully verified the resolution of this issue. Further questions can be directed to your Red Hat Partner Manager or other appropriate customer representative. Please update us with the latest test results for confirming the resolution of this request. Thank you. works me me! An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-1389.html |