setup-interface: [security][wpa_supplicant][wpa_passphrase] WiFi password / PSK being leaked to unprivileged user after setup
Let's mimic the code in setup-interface
here and try executing wpa_passphrase
:
# wpa_passphrase router_ssid password_123456
network={
ssid="router_ssid"
#psk="password_123456"
psk=10714215f131837c4c22a6d98065204c0aa2803fe445cd72663a49296b1d9547
}
As you can see, the plaintext password is shown in the output.
The current implementation for invoking wpa_passphrase
, as shown below, has severe problems:
wpa_passphrase "$essid" "$psk" >> "$conffile"
- The plaintext password is stored in
/etc/wpa_supplicant/wpa_supplicant.conf
, which defeats virtually any cyber security guideline. - Even if the above line is removed, the file
/etc/wpa_supplicant/wpa_supplicant.conf
is still world readable, letting any unprivileged user on the same machine to read it. Then, he can copy the pre-shared key (PSK), use it on his own device, connect to the router, and potentially do harm to the network.
Unfortunately, there seems to be no option to suppress wpa_passphrase
from printing out the plaintext password, therefore we should remove it immediately after the config file is created (or updated), as shown below:
diff --git a/setup-interfaces.in b/setup-interfaces.in
index e6cbf57..3ba6096 100644
--- a/setup-interfaces.in
+++ b/setup-interfaces.in
@@ -140,7 +140,8 @@ config_wpa_supp() {
local iface="$1" essid="$2" auth_type="$3" psk="$4"
local conffile=/etc/wpa_supplicant/wpa_supplicant.conf
if [ "$auth_type" = "WPA-PSK" ]; then
- wpa_passphrase "$essid" "$psk" >> "$conffile"
+ (umask 0077 && wpa_passphrase "$essid" "$psk" >> "$conffile")
+ sed -i -e '/^\t#psk=.*/d' "$conffile"
else
cat << EOF >> $conffile
network={