Bug 73850

Summary: neat writes wep key to world-readable file
Product: [Retired] Red Hat Linux Reporter: Mike McLean <mikem>
Component: redhat-config-networkAssignee: Harald Hoyer <harald>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: high    
Version: 8.0CC: chris.ricker, notting, rderooy, wtogami
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2003-02-04 16:11:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 79579, 81720    

Description Mike McLean 2002-09-12 07:18:18 UTC 
* initscripts-6.95-1
* redhat-config-network-1.1.20-1

If you configure a wireless interface with neat and set an encryption key, that
key is stored in the world readable file
/etc/sysconfig/network-scripts/ifcfg-eth?. This doesn't exactly live up to
"secure by default".  

iwconfig goes to the trouble of not letting mortal users see the encryption key,
but that effort is wasted since the user can just read it out of the network config.

neat should chmod 600 /etc/sysconfig/network-scripts/ifcfg-eth? if it contains
wep keys.  Alternately, initscripts handling of wireless devices could be
restructured to hide this info without locking down the whole file (perhaps a
file ifshadow.eth?).
Comment 1 Mike McLean 2003-01-02 20:26:50 UTC 
*** Bug 80369 has been marked as a duplicate of this bug. ***
Comment 2 Harald Hoyer 2003-02-04 16:11:32 UTC 
should be fixed in cvs