Red Hat Bugzilla – Bug 120731
Secuity problem: wireless WEP key stored and shown as clear text
Last modified: 2007-11-30 17:10:40 EST
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1) Gecko/20031114 Description of problem: Our administrator doesn't want to configure my linux box to access the wireless network because the WEP key is shown as clear text. When you edit the wireless device (Wireless Device Configuration), select the "Wireless Settings" and type in a Key that key shows up clear to the user. And it is stored in the /etc as clear text. Since many users have/need root access to their own machines this is a security problem, in that the key should be tightly controled. Version-Release number of selected component (if applicable): 1.3.10 How reproducible: Always Steps to Reproduce: 1.Open application 2.Add or edit a wireless device 3.Enter or edit a wep key Actual Results: As key is typed or when you return to the interface it is shown to the user. In the /etc/networking/devices folder the key is stored as clear text. Expected Results: At a minimum they key should be shown like a password ('*********') in the interface when returning to it. The key should be encripted on the disk in the /etc folder. Ideally you would hid the key while the users is typing it in to protect from prioring eyes (maybe require them to enter twice to verify). Additional info:
everyone with root rights can type: # iwconfig eth0 eth0 IEEE 802.11b ESSID:"wlan" Nickname:"xxxxxx.org" Mode:Managed Frequency:2.447GHz Access Point: FF:FF:FF:FF:FF:FF Bit Rate=1Mb/s Tx-Power:off Sensitivity=0/0 Retry:off RTS thr:off Fragment thr:off Encryption key:4162-xxxx-xxxx-4768-496A-4B6C-4D Security mode:open Power Management:off Link Quality:0/0 Signal level:-95 dBm Noise level:-95 dBm Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:0 Missed beacon:0 and can see the encryption keys, so storing them crypted or interactive PW dialogs do not prevent root from seeing the PW...