Debian WIFI password display

Status
Not open for further replies.
C

compis2

Guest
I am using Debian 12 with XFCE and the Network manager applet 1.20.0 displays the full WIFI password if requested without asking for a root password. This is a problem if a unattened workstation is left unlocked.

Can this issue be prevented ?

debian wifi displayed.png
 


Attachments

  • Screenshot from 2023-11-29 18-40-04.png
    Screenshot from 2023-11-29 18-40-04.png
    148 KB · Views: 95
Last edited:
Anyone with physical access to the device can take ownership of the device.

There are ways to hinder them, such as full disk encryption, strong passwords, and never leaving a logged-in account unattended. If you're worried about someone doing this on your computer, you should take steps to avoid it.

You can easily read the wireless passwords in the terminal with a privileged account:

linux-tips.us

Want To See The WiFi Password In The Terminal? • Linux Tips

It's remarkably easy (assuming one can gain access to a privileged account) to get the WiFi password from the terminal.
linux-tips.us linux-tips.us

Again, anyone with physical access is able to take ownership of the device. This is the basic premise for an 'evil maid' attack.
 
KGIII said:
There are ways to hinder them, such as full disk encryption, strong passwords, and never leaving a logged-in account unattended.
Click to expand...
You can also use gnome-keyring and kde-wallet to encrypt your wifi passwords(and other passwords), that way they won't even show up in plaintext on the filesystem.
 
f33dm3bits said:
You can also use gnome-keyring and kde-wallet to encrypt your wifi passwords(and other passwords), that way they won't even show up in plaintext on the filesystem.
Click to expand...

I could be mistaken, but my understanding was that the plain text existed in the file (from the article) even with keyrings enabled. That's what I dimly recall from when I was writing the article but didn't actually test that. I'm sure I'd have not tested that.
 
KGIII said:
I could be mistaken, but my understanding was that the plain text existed in the file (from the article) even with keyrings enabled. That's what I dimly recall from when I was writing the article but didn't actually test that. I'm sure I'd have not tested that.
Click to expand...
I tested it myself, one screenshot where I haven't added the wifi password to the gnome-keyring and the other where I have and both screenshots contain the output of the wireless connection.
Screenshot from 2023-11-29 19-39-06.png
 

Attachments

  • Screenshot from 2023-11-29 19-39-50.png
    Screenshot from 2023-11-29 19-39-50.png
    208.6 KB · Views: 94
The other way I have gotten around this, is to use nmcli from the command ine as root.
Make the wifi-connection in nmcli as root, you will have to type the password out in clear text
when you make the connection, but no one else can see roots history. Or you can delete the
history if you want to. I've never tried running "history" with sudo, but I suppose it's possible
a sudo user could see roots history.

But usually I don't have any sudo users. You either know the root password or you don't.
 
f33dm3bits said:
I tested it myself, one screenshot where I haven't added the wifi password to the gnome-keyring and the other where I have and both screenshots contain the output of the wireless connection.
Click to expand...

Sweet! It says Flags=1 instead. I'm not sure what I expected it to say, but it wasn't that. I guess I expected it to be encrypted. (Thanks for testing that. I should probably add that to the article at some point. There are a few articles that I should update.)
 
compis2 said:
This is a problem if a unattened workstation is left unlocked.

Can this issue be prevented ?
Click to expand...

Yes, of course, in several ways
  1. Educate your users to lock the PC.
  2. Educate your users to lock the PC.
  3. And my personal favourite: educate your users to lock the PC.
If there's a data leak, the wifi password is the least of your problems.
 
dos2unix said:
The other way I have gotten around this, is to use nmcli from the command ine as root.
Make the wifi-connection in nmcli as root, you will have to type the password out in clear text
when you make the connection, but no one else can see roots history. Or you can delete the
history if you want to. I've never tried running "history" with sudo, but I suppose it's possible
a sudo user could see roots history.

But usually I don't have any sudo users. You either know the root password or you don't.
Click to expand...
Changing nmcli to root is the closest answer. But nmcli has network information configuration, I do not think it holds or controls the WIFI password.
The idea is when you show password for WIFI a root password must be entered. This exists for Mac and Windows
 
You could probably get it done with a custom polkit rule but you would have to figure out which "action.id" you would need.
forums.opensuse.org

Creating Polkit rule to control NetworkManager in Gnome

I am currently running NetworkManager with Leap 15. I would like to limit the ability of non-privileged users to change network settings through the Gnome desktop. This seemed fairly straightforward with polkit but I cannot seem to get it working 100%. Specifically, I am having trouble with...
forums.opensuse.org forums.opensuse.org
 
f33dm3bits said:
You could probably get it done with a custom polkit rule but you would have to figure out which "action.id" you would need.
forums.opensuse.org

Creating Polkit rule to control NetworkManager in Gnome

I am currently running NetworkManager with Leap 15. I would like to limit the ability of non-privileged users to change network settings through the Gnome desktop. This seemed fairly straightforward with polkit but I cannot seem to get it working 100%. Specifically, I am having trouble with...
forums.opensuse.org forums.opensuse.org
Click to expand...
I think this is a security oversight with Debian based systems. This prevents Debian systems from being used as KIOSK type systems or shared computer systems. If I look at user account on Debian if i try to add or change a user it requires root access. Accessing the WIFI password or any system password should only be allowed if you are root.
 
Take it up with the Devs, we are not the Devs.

Just in case of any misapprehension on your part, we are not an official arm nor organ of Linux, just scored the dot org name - we are manned by volunteer staff who share a love of Linux and have varying skills in various departments.

Wizard
 
compis2 said:
I think this is a security oversight with Debian based systems. This prevents Debian systems from being used as KIOSK type systems or shared computer systems.
Click to expand...

Maybe, but the sword cuts both ways. If Linux did lock down these things, then no one could ever join a Wifi-network except
root. There are ways in Linux to make it a true Kiosk client application and lock down everything else. But then typically
you get one application, and one application only. This isn't just a Debian thing, but pretty much all Linux distro's do this.
Also keep in mind, it is possible to disable sudo, so that only root can do these things.
 
This is a security ommision. If windows and Mac secure there WIFI password there is no reason Linux should not do the same. I have made a post with Gnome regarding the issue,
 
compis2 said:
I have made a post with Gnome regarding the issue,
Click to expand...

That's fine, so there is no need for further discussion here until you get a response from them.

Locking this thread, for now.

The OP can converse with me to get it reopened.

In the meantime, thanks as always to all Helpers.

Chris Turner
wizardfromoz
 
Status
Not open for further replies.

Staff online

Members online

Total: 857 (members: 3, guests: 854)

Latest posts

Top