Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 264000

Summary: =net-wireless/wpa_supplicant has world readable default configuration file
Product: Gentoo Security Reporter: Kobboi <gentoo>
Component: Default ConfigsAssignee: Gentoo Security <security>
Status: RESOLVED OBSOLETE    
Severity: major CC: alexxy, gurligebis, jacobgodserv
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description Kobboi 2009-03-27 20:53:33 UTC
The default configuration, /etc/wpa_supplicant/wpa_supplicant.conf, is world-readable, which seems to be a security threat.

Reproducible: Always
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-03-30 18:20:03 UTC
wpa_supplicant is running as root, so only root needs to read that file. i can reproduce this on 0.6.8 (which is not yet in the tree :-)
Comment 2 David J Cozatt 2010-09-01 00:15:50 UTC
same for net-wireless/wpa_supplicant-0.7.2-r3 

this file contains keys and passwords. Needs fixing. 

Checking the ebuild something similar to this?

+	# fix rights in etc/asterisk before installing to /etc/asterisk
+	cd "${D}";
+	for confile in etc/asterisk/*.*; do
+		fowners asterisk:asterisk $confile;
+		fperms 0660 $confile;
+	done;
 
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-03-13 11:33:08 UTC
Passwords are no longer stored in this file so this issue has been mitigated.  The conf file is now used as a dbus configuration.  Closing as noglsa due to age.