609595 – [NM-openswan] saves user passwords/passphrases to a world-readable file

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 609595 - [NM-openswan] saves user passwords/passphrases to a world-readable file

Summary: [NM-openswan] saves user passwords/passphrases to a world-readable file

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	NetworkManager-openswan
Sub Component:
Version:	6.0
Hardware:	All
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Avesh Agarwal
QA Contact:	Aleš Mareček
Docs Contact:
URL:
Whiteboard:
Depends On:	614250
Blocks:	609517
TreeView+	depends on / blocked

Reported:	2010-06-30 16:47 UTC by Bill Nottingham
Modified:	2014-03-17 03:24 UTC (History)
CC List:	12 users (show)
Fixed In Version:	NetworkManager-openswan-0.8.0-3.20100411git.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:	607352
Environment:
Last Closed:	2010-11-10 19:32:16 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Bill Nottingham 2010-06-30 16:47:15 UTC

(Please move this to NM-openswan when the component becomes available.)

Description of problem:

NM-openswan saves user passwords/passphrases to a world-readable file in /etc/ipsec.d.

1) it shouldn't be writing user connections to the global store
2) it certainly shouldn't be saving passphrases that are set to 'ask every time'
3) nor should it be saving them to a world-readable, plaintext file

Version-Release number of selected component (if applicable):

0.8.0-1.20100411git

How reproducible:

100%

Steps to Reproduce:
1. set up a connection
2. look in /etc/ipsec.d
 
Actual results:

Stuff.

Expected results:

No stuff.

Comment 3 Bill Nottingham 2010-07-06 16:21:10 UTC

If I'm reading the code right, it boils down to "openswan cannot take configuration on stdin/pipe", so NM-openswan is writing the whole config to the filesystem before starting the underlying vpn code. Ergo, it likely requires openswan fixes before NM-openswan can be fixed.

Comment 4 Paul Wouters 2010-07-09 19:36:25 UTC

Correct. If passing secrets from NM to Openswan, something needs to be coded.

1 send via ipsec whack?   Could expose the cmdline on multiuser systems
2 send via linking the nm helper with libwhack? - Requires an .so for some of the libs we now only build staticly. And technically whack is an "internal only API"
3 extend the secrets method for loading secrets eg allowing ipsec.secrets
  (directly or via includes) to specify:
    #conn-name PSK: "secret"
4 send via new helper that takes stdin, then talks to pluto via its socket in /var/run/pluto/

We really want to keep secrets out of ipsec.conf, so that would exclude things like leftpsk=mysecret.

I'd say at this point 1) is probably the easiest, and reasonably secure.

Comment 5 Steve Grubb 2010-07-09 20:00:46 UTC

Why can't the nm app do #4 itself?

Comment 6 Bill Nottingham 2010-07-10 02:54:13 UTC

There's a suggestion in a different/cloned bug about passing the config via /dev/stdin. I don't know that that would work. I think #1 is a bad idea, personally... exposing it via the cmdline is worse than in the cfg file.

Comment 7 Avesh Agarwal 2010-07-14 12:54:40 UTC

why are the all acks removed from this bz?

Comment 9 Avesh Agarwal 2010-07-14 15:09:21 UTC

Build is going on, and the version is NetworkManager-openswan-0.8.0-3.20100411git.el6. Build is currently stuck due to kernel, gcc and openoffice builds. Hope it builds and does not fail. As I have committed fixes, so putting it to modified.

Comment 13 releng-rhel@redhat.com 2010-11-10 19:32:16 UTC

Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.