Secure testing team - Nov 2011 - Bug#647644: network-manager: stores wireless passphrases in plain-text

Package: network-manager
Version: 0.9.0-2
Severity: grave
Tags: security
Justification: user security hole

Dear Maintainer,
since the last upgrade in wheezy, network-manager defaults to creating
system-wide connections.
Clicking on a wireless network from the nm-applet network list brings up a
PolicyKit password prompt, says password is required to modify network settings
for all users.

It is causing the bugs #645815 and #642136, and moreover causes the wireless
passphrases to be stored *in clear text* in
/etc/NetworkManager/system-connections/*

Defaulting to system-wide connections may or not be a good thing (would be
better if the user was given the choice), but storing passphrases unencrypted is
imho definitely a bad idea.
The previous system involving storing the passphrases in the GNOME keyring was a
much better alternative. In the present case, anyone having sufficient
permissions or physical access to the disk is able to read the user''s
passphrases, this is a big concern.

Example:

root at atom:/etc/NetworkManager/system-connections# cat Freebox-ABA336 
[connection]
id=Freebox-ABA336
uuid=05e76e08-d8a7-43ef-99d1-91d42e0004ce
type=802-11-wireless
timestamp=1320076174

[802-11-wireless]
ssid=Freebox-ABA336
mode=infrastructure
mac-address=(mac address)
security=802-11-wireless-security

[802-11-wireless-security]
key-mgmt=wpa-psk
psk=(WPA passphrase in clear text!!)

[ipv4]
method=auto
dns=8.8.8.8;8.8.4.4;
ignore-auto-dns=true

[ipv6]
method=auto

Note that it is still possible to create user-specific (passphrase stored in
keyring) connections by manually entering the details in nm-connection-editor,
but few people will think about this.
Please either restore the previous behaviour, or provide a user-friendly way to
choose what storage will be used, or provide a secure storage for system-wide
passphrases.


Thank you in advance.


-- System Information:
Debian Release: wheezy/sid
  APT prefers stable-updates
  APT policy: (500, ''stable-updates''), (500,
''testing''), (500, ''stable'')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages network-manager depends on:
ii  adduser                3.113      
ii  dbus                   1.4.16-1   
ii  isc-dhcp-client        4.1.1-P1-17
ii  libc6                  2.13-21    
ii  libdbus-1-3            1.4.16-1   
ii  libdbus-glib-1-2       0.98-1     
ii  libgcrypt11            1.5.0-3    
ii  libglib2.0-0           2.28.6-1   
ii  libgnutls26            2.12.11-1  
ii  libgudev-1.0-0         172-1      
ii  libnl1                 1.1-7      
ii  libnm-glib4            0.9.0-2    
ii  libnm-util2            0.9.0-2    
ii  libpolkit-gobject-1-0  0.102-1    
ii  libuuid1               2.19.1-5   
ii  lsb-base               3.2-28     
ii  udev                   172-1      
ii  wpasupplicant          0.7.3-5    

Versions of packages network-manager recommends:
pn  dnsmasq-base  <none>  
pn  iptables      1.4.12-1
pn  modemmanager  <none>  
pn  policykit-1   0.102-1 
pn  ppp           <none>  

Versions of packages network-manager suggests:
pn  avahi-autoipd  <none>

-- no debconf information