Package: network-manager Version: 0.9.0-2 Severity: grave Tags: security Justification: user security hole
Dear Maintainer, since the last upgrade in wheezy, network-manager defaults to creating system-wide connections. Clicking on a wireless network from the nm-applet network list brings up a PolicyKit password prompt, says password is required to modify network settings for all users. It is causing the bugs #645815 and #642136, and moreover causes the wireless passphrases to be stored *in clear text* in /etc/NetworkManager/system-connections/* Defaulting to system-wide connections may or not be a good thing (would be better if the user was given the choice), but storing passphrases unencrypted is imho definitely a bad idea. The previous system involving storing the passphrases in the GNOME keyring was a much better alternative. In the present case, anyone having sufficient permissions or physical access to the disk is able to read the user's passphrases, this is a big concern. Example: root@atom:/etc/NetworkManager/system-connections# cat Freebox-ABA336 [connection] id=Freebox-ABA336 uuid=05e76e08-d8a7-43ef-99d1-91d42e0004ce type=802-11-wireless timestamp=1320076174 [802-11-wireless] ssid=Freebox-ABA336 mode=infrastructure mac-address=(mac address) security=802-11-wireless-security [802-11-wireless-security] key-mgmt=wpa-psk psk=(WPA passphrase in clear text!!) [ipv4] method=auto dns=8.8.8.8;8.8.4.4; ignore-auto-dns=true [ipv6] method=auto Note that it is still possible to create user-specific (passphrase stored in keyring) connections by manually entering the details in nm-connection-editor, but few people will think about this. Please either restore the previous behaviour, or provide a user-friendly way to choose what storage will be used, or provide a secure storage for system-wide passphrases. Thank you in advance. -- System Information: Debian Release: wheezy/sid APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.0.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages network-manager depends on: ii adduser 3.113 ii dbus 1.4.16-1 ii isc-dhcp-client 4.1.1-P1-17 ii libc6 2.13-21 ii libdbus-1-3 1.4.16-1 ii libdbus-glib-1-2 0.98-1 ii libgcrypt11 1.5.0-3 ii libglib2.0-0 2.28.6-1 ii libgnutls26 2.12.11-1 ii libgudev-1.0-0 172-1 ii libnl1 1.1-7 ii libnm-glib4 0.9.0-2 ii libnm-util2 0.9.0-2 ii libpolkit-gobject-1-0 0.102-1 ii libuuid1 2.19.1-5 ii lsb-base 3.2-28 ii udev 172-1 ii wpasupplicant 0.7.3-5 Versions of packages network-manager recommends: pn dnsmasq-base <none> pn iptables 1.4.12-1 pn modemmanager <none> pn policykit-1 0.102-1 pn ppp <none> Versions of packages network-manager suggests: pn avahi-autoipd <none> -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
