|Summary:||NetworkManager by default stores WiFi passwords in clear text in /etc|
|Product:||[Fedora] Fedora||Reporter:||Kay Sievers <kay>|
|Component:||NetworkManager||Assignee:||Dan Williams <dcbw>|
|Status:||CLOSED EOL||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Version:||19||CC:||cpanceac, cra, cwickert, dcbw, eparis, nemoinis, rvykydal|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2015-02-17 13:50:29 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
Description Kay Sievers 2011-08-11 13:58:32 UTC
Please stop storing passwords in /etc ever. This is the default behavior. Unless someone explicitly requests that and is properly warned about about the consequences, it is generally not acceptable to have security relevant data stored on disk.
Comment 1 Nemoinis 2012-06-16 18:09:53 UTC
I hope you succeed in getting this fixed. A similar report in debian got shot down with ungodly speed (see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=647644 ) I don't understand the developer's idea of security - I quote: "Those passphrases are only readable by root resp users with admin privileges, so there is no user security hole. And you can certainly create connections, where the password is stored in the user session." 1) since we're talking wireless, we're probably talking about a laptop or other similar single-seat machine where the non-owner user can physically access the hardware; 2) therefore, protecting something with "root access" is no protection at all, since it takes all of 2 minutes for said single-seat user to boot a USB stick and access the CLEAR TEXT PASSPHRASES stored by network-manager in /etc/NetworkManager/system-connections, then boot back into the normal system; 3) creating a non-system connection is NO PROTECTION since the network's owner would have to create the connection in each user's session, where said user can simply use seahorse to display the passphrase in clear text; 4) so the fallback answer would be "well then, encrypt your whole hard-drive"; and hopefully you're able to be present to enter the decryption passphrase everytime the local user reboots the machine! 5) I don't understand why even though the system takes pain to store users' passwords in hashed/encrypted form in /etc/shadow, that kind of security is somehow not needed for NetworkManager's secrets...
Comment 2 Fedora End Of Life 2013-04-03 14:22:54 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle. Changing version to '19'. (As we did not run this process for some time, it could affect also pre-Fedora 19 development cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.) More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19
Comment 3 Eric Paris 2013-12-31 17:01:21 UTC
Nemoinis, Your logic fails at step 5. With /etc/shadow passwords the computer is verifying the password. The user is entering it in plain text. Now think about getting a wireless network. The network AP is verifying the password. The client, aka your computer, must enter the password in plain text. So how can your computer give the password in plain text if it doesn't store it somehow? If having it live on disk in plain text is unacceptable we really only have 2 options. Encrypt the disk. Don't store the password on disk. Thus you'll have to enter it every time you want to get on Wifi. Not sure if NM offers that option, but I wouldn't use it even if it did *smile*
Comment 4 Eric Paris 2013-12-31 17:04:40 UTC
I guess a third option exists, storing them in the gnome keyring. But this means no network connections until after you log into the machine. I'd be fine with this for some of my machines, but not others...
Comment 5 cornel panceac 2014-01-01 09:29:08 UTC
So, how hard is to just encrypt somehow these passwords? This is still true in Fedora 20. Also, i suspect is also true for pppoe passwords.
Comment 6 Charles R. Anderson 2014-04-15 12:57:30 UTC
You can't encrypt the passwords and store them system-wide because the plain text versions are needed to authenticate with the network. You could store them per-user in gnome keyring as suggested, and then they will be protected by the keyring pasword (usually the same as your user password). Let me guess, does a network you connect to require you to use your regular system/domain login password? Is it using PEAP? Because that is the real problem--wifi connections shouldn't be tied to system or domain logins and EAP-TLS should be used with per-device certificates instead. But since this isn't something a user could control, there should be a better option in NM to handle this case. Maybe the defaults for PEAP should be per-user-only and only allow system-wide connection configuration from the nm-applet after a big fat warning is displayed.
Comment 7 Fedora End Of Life 2015-01-09 16:45:02 UTC
This message is a notice that Fedora 19 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 19. It is Fedora's policy to close all bug reports from releases that are no longer maintained. Approximately 4 (four) weeks from now this bug will be closed as EOL if it remains open with a Fedora 'version' of '19'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 19 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Comment 8 Fedora End Of Life 2015-02-17 13:50:29 UTC
Fedora 19 changed to end-of-life (EOL) status on 2015-01-06. Fedora 19 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.