Debian WIFI password display

Status
Not open for further replies.
C

compis2

Guest
I am using Debian 12 with XFCE and the Network manager applet 1.20.0 displays the full WIFI password if requested without asking for a root password. This is a problem if a unattened workstation is left unlocked.

Can this issue be prevented ?

debian wifi displayed.png
 


Attachments

  • Screenshot from 2023-11-29 18-40-04.png
    Screenshot from 2023-11-29 18-40-04.png
    148 KB · Views: 67
Last edited:
Anyone with physical access to the device can take ownership of the device.

There are ways to hinder them, such as full disk encryption, strong passwords, and never leaving a logged-in account unattended. If you're worried about someone doing this on your computer, you should take steps to avoid it.

You can easily read the wireless passwords in the terminal with a privileged account:


Again, anyone with physical access is able to take ownership of the device. This is the basic premise for an 'evil maid' attack.
 
There are ways to hinder them, such as full disk encryption, strong passwords, and never leaving a logged-in account unattended.
You can also use gnome-keyring and kde-wallet to encrypt your wifi passwords(and other passwords), that way they won't even show up in plaintext on the filesystem.
 
You can also use gnome-keyring and kde-wallet to encrypt your wifi passwords(and other passwords), that way they won't even show up in plaintext on the filesystem.

I could be mistaken, but my understanding was that the plain text existed in the file (from the article) even with keyrings enabled. That's what I dimly recall from when I was writing the article but didn't actually test that. I'm sure I'd have not tested that.
 
I could be mistaken, but my understanding was that the plain text existed in the file (from the article) even with keyrings enabled. That's what I dimly recall from when I was writing the article but didn't actually test that. I'm sure I'd have not tested that.
I tested it myself, one screenshot where I haven't added the wifi password to the gnome-keyring and the other where I have and both screenshots contain the output of the wireless connection.
Screenshot from 2023-11-29 19-39-06.png
 

Attachments

  • Screenshot from 2023-11-29 19-39-50.png
    Screenshot from 2023-11-29 19-39-50.png
    208.6 KB · Views: 72
The other way I have gotten around this, is to use nmcli from the command ine as root.
Make the wifi-connection in nmcli as root, you will have to type the password out in clear text
when you make the connection, but no one else can see roots history. Or you can delete the
history if you want to. I've never tried running "history" with sudo, but I suppose it's possible
a sudo user could see roots history.

But usually I don't have any sudo users. You either know the root password or you don't.
 
I tested it myself, one screenshot where I haven't added the wifi password to the gnome-keyring and the other where I have and both screenshots contain the output of the wireless connection.

Sweet! It says Flags=1 instead. I'm not sure what I expected it to say, but it wasn't that. I guess I expected it to be encrypted. (Thanks for testing that. I should probably add that to the article at some point. There are a few articles that I should update.)
 
This is a problem if a unattened workstation is left unlocked.

Can this issue be prevented ?

Yes, of course, in several ways
  1. Educate your users to lock the PC.
  2. Educate your users to lock the PC.
  3. And my personal favourite: educate your users to lock the PC.
If there's a data leak, the wifi password is the least of your problems.
 
The other way I have gotten around this, is to use nmcli from the command ine as root.
Make the wifi-connection in nmcli as root, you will have to type the password out in clear text
when you make the connection, but no one else can see roots history. Or you can delete the
history if you want to. I've never tried running "history" with sudo, but I suppose it's possible
a sudo user could see roots history.

But usually I don't have any sudo users. You either know the root password or you don't.
Changing nmcli to root is the closest answer. But nmcli has network information configuration, I do not think it holds or controls the WIFI password.
The idea is when you show password for WIFI a root password must be entered. This exists for Mac and Windows
 
You could probably get it done with a custom polkit rule but you would have to figure out which "action.id" you would need.
 
You could probably get it done with a custom polkit rule but you would have to figure out which "action.id" you would need.
I think this is a security oversight with Debian based systems. This prevents Debian systems from being used as KIOSK type systems or shared computer systems. If I look at user account on Debian if i try to add or change a user it requires root access. Accessing the WIFI password or any system password should only be allowed if you are root.
 
Take it up with the Devs, we are not the Devs.

Just in case of any misapprehension on your part, we are not an official arm nor organ of Linux, just scored the dot org name - we are manned by volunteer staff who share a love of Linux and have varying skills in various departments.

Wizard
 
I think this is a security oversight with Debian based systems. This prevents Debian systems from being used as KIOSK type systems or shared computer systems.

Maybe, but the sword cuts both ways. If Linux did lock down these things, then no one could ever join a Wifi-network except
root. There are ways in Linux to make it a true Kiosk client application and lock down everything else. But then typically
you get one application, and one application only. This isn't just a Debian thing, but pretty much all Linux distro's do this.
Also keep in mind, it is possible to disable sudo, so that only root can do these things.
 
This is a security ommision. If windows and Mac secure there WIFI password there is no reason Linux should not do the same. I have made a post with Gnome regarding the issue,
 
I have made a post with Gnome regarding the issue,

That's fine, so there is no need for further discussion here until you get a response from them.

Locking this thread, for now.

The OP can converse with me to get it reopened.

In the meantime, thanks as always to all Helpers.

Chris Turner
wizardfromoz
 
Status
Not open for further replies.

Members online


Top