Red Hat Bugzilla – Bug 120731
Secuity problem: wireless WEP key stored and shown as clear text
Last modified: 2007-11-30 17:10:40 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1)
Description of problem:
Our administrator doesn't want to configure my linux box to access the
wireless network because the WEP key is shown as clear text. When you
edit the wireless device (Wireless Device Configuration), select the
"Wireless Settings" and type in a Key that key shows up clear to the
user. And it is stored in the /etc as clear text. Since many users
have/need root access to their own machines this is a security
problem, in that the key should be tightly controled.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
2.Add or edit a wireless device
3.Enter or edit a wep key
Actual Results: As key is typed or when you return to the interface
it is shown to the user. In the /etc/networking/devices folder the key
is stored as clear text.
Expected Results: At a minimum they key should be shown like a
password ('*********') in the interface when returning to it. The key
should be encripted on the disk in the /etc folder. Ideally you would
hid the key while the users is typing it in to protect from prioring
eyes (maybe require them to enter twice to verify).
everyone with root rights can type:
# iwconfig eth0
eth0 IEEE 802.11b ESSID:"wlan" Nickname:"xxxxxx.org"
Mode:Managed Frequency:2.447GHz Access Point:
Bit Rate=1Mb/s Tx-Power:off Sensitivity=0/0
Retry:off RTS thr:off Fragment thr:off
Encryption key:4162-xxxx-xxxx-4768-496A-4B6C-4D Security
Link Quality:0/0 Signal level:-95 dBm Noise level:-95 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0
and can see the encryption keys, so storing them crypted or
interactive PW dialogs do not prevent root from seeing the PW...