Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Security issue with WIFI being displayed
Security issue with WIFI being displayed
Using Debian 12 Amd 64 with XFCE the network manager applet 1.30.0 displays the WIFI password on a terminal screen without asking for a password. This should be secured from any user opening up the terminal and viewing the WIFI password. Can this be done on Debian 12 ?
Re: Security issue with WIFI being displayed
Can I force the requirement of the Root password before allowing anyone who has ccess to the workstation to view the WIFI password?
-
- Global Moderator
- Posts: 2979
- Joined: 2014-07-20 18:12
- Location: Europe
- Has thanked: 75 times
- Been thanked: 407 times
Re: Security issue with WIFI being displayed
Moved from "System and Network configuration" to "Graphical Environments and Desktop" sub-forum.
-
- Debian Developer
- Posts: 452
- Joined: 2022-07-12 14:10
- Has thanked: 1 time
- Been thanked: 88 times
Re: Security issue with WIFI being displayed
In Debian 12 the Wi-Fi password is stored in a file that only the root user can read. However, the NetworkManager service offers an API for operating on network settings. This API requires authorization. The opration "org.freedesktop.NetworkManager.settings.modify.system" by default can only be done if you are on the local system (so does not work over SSH), your session is active (so screen is not locked etc.) and you are in the group "sudo" or "netdev". Do you meet these requirements? By default the first user is at least part of "netdev" but subsequent users are not.
-
- Posts: 31
- Joined: 2023-12-19 09:25
- Been thanked: 1 time
Re: Security issue with WIFI being displayed
I do not see the API requiring authorization through the network manager app?
If you compare other O.S. such as windows or apple no access to the WIFI can be made without a password, otherwise any user can access the local machines WIFI information
If you compare other O.S. such as windows or apple no access to the WIFI can be made without a password, otherwise any user can access the local machines WIFI information
-
- Global Moderator
- Posts: 2719
- Joined: 2018-06-20 15:16
- Location: Colorado
- Has thanked: 41 times
- Been thanked: 201 times
Re: Security issue with WIFI being displayed
generally polkitadmiincomp wrote: ↑2024-01-07 22:58 I do not see the API requiring authorization through the network manager app?
not in my experienceadmiincomp wrote: ↑2024-01-07 22:58 If you compare other O.S. such as windows or apple no access to the WIFI can be made without a password,...
usually.admiincomp wrote: ↑2024-01-07 22:58 ..., otherwise any user can access the local machines WIFI information
How about you just don't let them use your computer.
-
- Posts: 31
- Joined: 2023-12-19 09:25
- Been thanked: 1 time
Re: Security issue with WIFI being displayed
That is the only option. You cannot let anyone use the computer if you do not trust them with accessing the WIFI information.
-
- Debian Developer
- Posts: 452
- Joined: 2022-07-12 14:10
- Has thanked: 1 time
- Been thanked: 88 times
Re: Security issue with WIFI being displayed
If I create a guest user on my Debian 12 system, they cannot access the wifi password. Here's a screencast that shows it:admiincomp wrote: ↑2024-01-07 22:58 If you compare other O.S. such as windows or apple no access to the WIFI can be made without a password, otherwise any user can access the local machines WIFI information
https://lindi.iki.fi/lindi/screencast/d ... sword.webm
-
- Posts: 31
- Joined: 2023-12-19 09:25
- Been thanked: 1 time
Re: Security issue with WIFI being displayed
You should not have to create a guest. This issue does not exist on windows or Apple.
-
- Debian Developer
- Posts: 452
- Joined: 2022-07-12 14:10
- Has thanked: 1 time
- Been thanked: 88 times
Re: Security issue with WIFI being displayed
What issue? Debian lets you configure if a user can configure network or not. By default the first user created can configure the network as that's what most people want but you can change that.admiincomp wrote: ↑2024-01-17 05:29 You should not have to create a guest. This issue does not exist on windows or Apple.
- bbbhltz
- Posts: 166
- Joined: 2024-01-10 14:53
- Location: Normandy
- XMMP/Jabber: bbbhltz@mailbox.org
- Has thanked: 49 times
- Been thanked: 33 times
Re: Security issue with WIFI being displayed
Linux systems are meant to be used by different users and administrators or superusers. I think that might be the reasoning. I wouldn't let anyone except my partner or (maybe) my son use my personal session on a computer. Get he WiFi password? That's nothing. Imagine if you use Chromium as a password manager. Somewhere inadmiincomp wrote: ↑2024-01-17 05:29 You should not have to create a guest. This issue does not exist on windows or Apple.
~/.local/or
~/.config/is a file with many passwords in it.
It does appear that this is a design/UI/UX decision, though, and other DE's also show the password. So you cannot be the first to mention it and a quick DDG search turns up 7-year-old discussions on other Q&A forums talking about obfuscating the password with a hash, which would only slow someone down.
Also, on Windows I have on more than one occasion "extracted" the WiFi password using tools that can be found through search engines. This was about 10 years ago, to perhaps Windows got wise. I don't know a thing about Apple, except 1) my students love them and 2) my students don't know how to use them.
bbbhltz
longtime desktop Linux user; eternal newbie
longtime desktop Linux user; eternal newbie
-
- Debian Developer
- Posts: 452
- Joined: 2022-07-12 14:10
- Has thanked: 1 time
- Been thanked: 88 times
Re: Security issue with WIFI being displayed
This is not a UI issue. The password is stored outside users's home directory and there is an API to query that password. The API requires authorization. By default the first user is authorized to access that but if you create more users those are not. I don't see why you would hash a wifi password either, how would you then use it to authenticate to a wifi access point?bbbhltz wrote: ↑2024-01-17 06:41It does appear that this is a design/UI/UX decision, though, and other DE's also show the password. So you cannot be the first to mention it and a quick DDG search turns up 7-year-old discussions on other Q&A forums talking about obfuscating the password with a hash, which would only slow someone down.admiincomp wrote: ↑2024-01-17 05:29 You should not have to create a guest. This issue does not exist on windows or Apple.
-
- df -h | grep > 20TiB
- Posts: 1418
- Joined: 2012-10-06 05:31
- Location: /dev/chair
- Has thanked: 80 times
- Been thanked: 191 times
Re: Security issue with WIFI being displayed
If you create a guest user, by default they do not have permission to modify system network connections. That is not the same as viewing stored wireless keys.
Said permissions are generally policykit rules, e.g.
Code: Select all
$ cat /usr/share/polkit-1/rules.d/01-org.freedesktop.NetworkManager.settings.modify.system.rules
// Let users in plugdev group modify NetworkManager
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.NetworkManager.settings.modify.system" &&
subject.isInGroup("plugdev") && subject.active) {
return "yes";
}
});
You can't hash it, because wpa-supplicant needs the plaintext key to authenticate to the AP. You can encrypt it at the widget / manager / GUI level though, (then pass the decrypted string to NM over dbus) and details on the various ways to do that can be found in the usual place.
Otherwise keys are stored in plaintext in /etc/, and can be viewed by anyone with the appropriate filesystem permissions or IPC policy, same as any other OS.
Once is happenstance. Twice is coincidence. Three times is enemy action. Four times is Official GNOME Policy.
Re: Security issue with WIFI being displayed
Wrong, it can be clear text, but when I used wpa-supplicant , I used wpa_passphrase (in the same pacakge) to crypt the wifi-passphrase. And wpa_supplicant.conf had to only root readable, if I remember right.
-
- Posts: 31
- Joined: 2023-12-19 09:25
- Been thanked: 1 time
Re: Security issue with WIFI being displayed
The solution has to be forcing the administrator password before allowing access to any WIFI security information.
-
- Global Moderator
- Posts: 2719
- Joined: 2018-06-20 15:16
- Location: Colorado
- Has thanked: 41 times
- Been thanked: 201 times
Re: Security issue with WIFI being displayed
Not on MY user will there be a forced password,,,admiincomp wrote: ↑2024-01-22 00:02 The solution has to be forcing the administrator password before allowing access to any WIFI security information.
This is why you create, need to create, are forced to create a Guest User
There is no OS that hides the password from the empowered (root, admin, administrator, god, super user, power user, me, etc) user. PERIOD
viewtopic.php?p=788094#p788094