Bug 120731 - Secuity problem: wireless WEP key stored and shown as clear text
Summary: Secuity problem: wireless WEP key stored and shown as clear text
Alias: None
Product: Fedora
Classification: Fedora
Component: redhat-config-network   
(Show other bugs)
Version: 1
Hardware: i386 Linux
Target Milestone: ---
Assignee: Harald Hoyer
QA Contact:
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2004-04-13 16:10 UTC by Sepehr
Modified: 2007-11-30 22:10 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-04-14 09:51:15 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Sepehr 2004-04-13 16:10:04 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1)

Description of problem:
Our administrator doesn't want to configure my linux box to access the
wireless network because the WEP key is shown as clear text. When you
edit the wireless device (Wireless Device Configuration), select the
"Wireless Settings" and type in a Key that key shows up clear to the
user. And it is stored in the /etc as clear text. Since many users
have/need root access to their own machines this is a security
problem, in that the key should be tightly controled. 

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.Open application
2.Add or edit a wireless device
3.Enter or edit a wep key

Actual Results:  As key is typed or when you return to the interface
it is shown to the user. In the /etc/networking/devices folder the key
is stored as clear text.

Expected Results:  At a minimum they key should be shown like a
password ('*********') in the interface when returning to it. The key
should be encripted on the disk in the /etc folder. Ideally you would
hid the key while the users is typing it in to protect from prioring
eyes (maybe require them to enter twice to verify).

Additional info:

Comment 1 Harald Hoyer 2004-04-14 09:51:15 UTC
everyone with root rights can type:

# iwconfig eth0
eth0      IEEE 802.11b  ESSID:"wlan"  Nickname:"xxxxxx.org"
          Mode:Managed  Frequency:2.447GHz  Access Point:
          Bit Rate=1Mb/s   Tx-Power:off   Sensitivity=0/0
          Retry:off   RTS thr:off   Fragment thr:off
          Encryption key:4162-xxxx-xxxx-4768-496A-4B6C-4D   Security
          Power Management:off
          Link Quality:0/0  Signal level:-95 dBm  Noise level:-95 dBm
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:0

and can see the encryption keys, so storing them crypted or
interactive PW dialogs do not prevent root from seeing the PW...

Note You need to log in before you can comment on or make changes to this bug.