| Summary: | net-misc/networkmanager-1.18.4-r2 changes WiFi MAC address with every activation | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Johannes Hirte <johannes.hirte> |
| Component: | Current packages | Assignee: | Gentoo Linux Gnome Desktop Team <gnome> |
| Status: | CONFIRMED --- | ||
| Severity: | normal | CC: | candrews, crabbedhaloablution, gentoo, naota, stoffepojken, zerochaos |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://blogs.gnome.org/thaller/2016/08/26/mac-address-spoofing-in-networkmanager-1-4-0/ | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Attachments: | MAC Range | ||
|
Description
Johannes Hirte
2020-01-20 15:17:13 UTC
emerge --info
Portage 2.3.84 (python 3.8.1-final-0, default/linux/amd64/17.1/systemd, gcc-9.2.0, glibc-2.30-r3, 5.5.0-rc7 x86_64)
=================================================================
System uname: Linux-5.5.0-rc7-x86_64-AMD_Ryzen_5_PRO_2500U_w-_Radeon_Vega_Mobile_Gfx-with-glibc2.4
KiB Mem: 15309096 total, 10289064 free
KiB Swap: 2097148 total, 2097148 free
Head commit of repository gentoo: 0f099b677fd61f5c7ad8f665938718470338caa5
Head commit of repository kde: 6be0d53b9443ab8067886fe9e66f80635e86d7f3
Head commit of repository qt: f404e1609ada2d6e43543ea262f680e405ea154f
sh bash 5.0_p11
ld GNU ld (Gentoo 2.33.1 p2) 2.33.1
distcc 3.3.3 x86_64-pc-linux-gnu [disabled]
app-shells/bash: 5.0_p11::gentoo
dev-java/java-config: 2.2.0-r4::gentoo
dev-lang/perl: 5.30.1::gentoo
dev-lang/python: 2.7.17-r1::gentoo, 3.6.10::gentoo, 3.7.6::gentoo, 3.8.1::gentoo
dev-util/cmake: 3.16.2-r1::gentoo
dev-util/pkgconfig: 0.29.2::gentoo
sys-apps/baselayout: 2.6-r1::gentoo
sys-apps/sandbox: 2.18::gentoo
sys-devel/autoconf: 2.13-r1::gentoo, 2.69-r5::gentoo
sys-devel/automake: 1.16.1-r2::gentoo
sys-devel/binutils: 2.33.1-r1::gentoo
sys-devel/gcc: 9.2.0-r3::gentoo
sys-devel/gcc-config: 2.2::gentoo
sys-devel/libtool: 2.4.6-r6::gentoo
sys-devel/make: 4.3::gentoo
sys-kernel/linux-headers: 5.4::gentoo (virtual/os-headers)
sys-libs/glibc: 2.30-r3::gentoo
Repositories:
gentoo
location: /usr/portage
sync-type: git
sync-uri: https://anongit.gentoo.org/repo/gentoo.git
priority: -1000
kde
location: /usr/local/portage/kde
sync-type: git
sync-uri: git://anongit.gentoo.org/proj/kde.git
masters: gentoo
priority: 50
qt
location: /usr/local/portage/qt
sync-type: git
sync-uri: git://anongit.gentoo.org/proj/qt.git
masters: gentoo
priority: 50
ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="@FREE"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -march=znver1 -mtune=znver1 --param l1-cache-size=32 --param l1-cache-line-size=64 --param l2-cache-size=512 -ftree-vectorize -fvect-cost-model -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/lib64/libreoffice/program/sofficerc /usr/share/config /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php7.4/ext-active/ /etc/php/cgi-php7.4/ext-active/ /etc/php/cli-php7.4/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-O2 -march=znver1 -mtune=znver1 --param l1-cache-size=32 --param l1-cache-line-size=64 --param l2-cache-size=512 -ftree-vectorize -fvect-cost-model -pipe"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--with-bdeps=y --quiet-build=n"
ENV_UNSET="DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR"
FCFLAGS="-O2 -march=znver1 -mtune=znver1 --param l1-cache-size=32 --param l1-cache-line-size=64 --param l2-cache-size=512 -ftree-vectorize -fvect-cost-model -pipe"
FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync metadata-transfer multilib-strict network-sandbox news parallel-fetch pid-sandbox preserve-libs sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -march=znver1 -mtune=znver1 --param l1-cache-size=32 --param l1-cache-line-size=64 --param l2-cache-size=512 -ftree-vectorize -fvect-cost-model -pipe"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="en_US.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="de en"
MAKEOPTS="-j8 -l8"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="X a52 aac aacplus acl alsa alt-svc amd64 amr amrenc anacron berkdb bluetooth bzip2 cairo caps celt chm cleartype_hinting cli corefonts crypt cryptsetup cups cxx d3d9 dav1d dbus default-gold dell device-mapper djvu dri drm dvd ebook editorconfig efi egl eps epub evdev exif faac fdk ffmpeg fftw flac fontconfig fortran gbm gdbm gif git glamor gmp gold gpg gphoto2 gpm graphviz harfbuzz iconv icu id3tag ipv6 ithreads jpeg kipi lcms lensfun libatomic libcxx libcxxabi libffi libinput libkms libsamplerate libtirpc libunwind libxml2 lm-sensors lz4 lzma lzo mad matroska mjpeg mmap mng mobi modern-top mp3 mpeg mtp multilib mysql ncurses networkmanager nfs nls nptl ogg openal opencl opencv openexr opengl openmp openssl opus pam parted pcre pcre16 pdf png policykit postscript pulseaudio python qml qt5 raw readline s3tc schroedinger sdl sdl2 seccomp sift smp sndfile sox speex spice split-usr sqlite ssl subversion svg system-jsoncpp system-sqlite systemd taglib tcpd tesseract theora threads thumbnail tiff truetype udev uefi unicode urandom usb usbredir user-session v4l vaapi vde vdpau vhosts virgl virt-network virtfs vorbis vpx vte vulkan wavpack wayland webp wmf x264 x265 xattr xcb xcomposite xkb xml xmp xpm xv xvid zip zlib zstd" ABI_X86="64" ADA_TARGET="gnat_2018" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" CAMERAS="canon ricoh ricoh_g3" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx avx2 f16c fma3 mmx mmxext popcnt sse sse2 sse3 ssse3 sse4_1 sse4_2" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="efi-32 efi-64 pc" INPUT_DEVICES="evdev libinput synaptics" KERNEL="linux" L10N="de en" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LLVM_TARGETS="AMDGPU BPF NVPTX X86" NETBEANS_MODULES="apisupport cnd groovy gsf harness ide identity j2ee java mobility nb php profiler soa visualweb webcommon websvccommon xml" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-2" POSTGRES_TARGETS="postgres10 postgres11" PYTHON_SINGLE_TARGET="python3_7" PYTHON_TARGETS="python3_7 python3_8" RUBY_TARGETS="ruby25" USERLAND="GNU" VIDEO_CARDS="amdgpu" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset: CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, LC_ALL, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Sounds like a security feature to me. Or maybe something is wrong with the way the feature works? It is a security feature https://blogs.gnome.org/thaller/2016/08/26/mac-address-spoofing-in-networkmanager-1-4-0/ Adding: [device] wifi.scan-rand-mac-address=no to /etc/NetworkManager.conf should change the behavior I needed to set that because the mac randomization also breaks some drivers, for example rtl8192eu (for a Wifi USB stick I use) was unable to reconnect due to that. That caused Ubuntu to default to disable the randomization. Also in some places they recommend to disable it do avoid this problems: https://github.com/aircrack-ng/rtl8812au/blob/v5.6.4.2/README.md https://wiki.debian.org/WiFi#Simple_guide https://github.com/Mange/rtl8192eu-linux-driver/issues/64#issuecomment-347763424 https://github.com/Mange/rtl8192eu-linux-driver/issues/46#issuecomment-325977795 https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1681513 Maybe the default value could be switchable with a USE flag :/ I suggest not to change the behaviour with a bugfix update. Or at least a very big warning should be added, and the need for the user changing this explicitly, e.g. etc-update. As already mentioned, this breaks networks with MAC-based authentication. Not to pile on here, but I have a machine with an Ethernet connection on my network that keeps getting assigned a new mac address every time I restart it after this update. Now I can never locate the machine on my network without physically going to it :( Is this intentional? I've tried stopping NetworkManager and then deleting all of /var/lib/NetworkManager/*, then rebooting the machine to no avail. The only thing I do a bit different than most is I boot my kernel with net.ifnames=0. Something really screwy is going on with this release. Not every machine is hitting this though, which makes this even weirder. BAD NEWS -- I tested this version on 5 separate machines... 3/5 of the machines have 1 Ethernet 2/5 of the machines have 1 Ethernet + 1 Wifi The machines with 1 Ethernet + 1 Wifi adapter are getting assigned a random mac address on their Wifi adapter on every boot, while the Ethernet adapter remains unrandomized. This sounds like you were aiming for. The machines with 1 Ethernet adapter are getting assigned random mac addresses on their Physical Ethernet adapter every time i boot them. net.ifnames=0 has NO effect. (I tried Enabling/Disabling it, stopping + wiping out /var/lib/NetworkManager/*, and then rebooting, and leaving all other NetworkManager configs default) -- those machines are always getting a random mac on their Ethernet adapters. Adding: [device] wifi.scan-rand-mac-address=no ^^ Does not help. ... This Physical Ethernet mac randomization looks like a show stopper for this version. Can someone else confirm on a machine with only physical Ethernet connections? Hold the door, I didn't read the blog link. Ethernet Randomization is a thing now too. Though based on my report it looks like it's a bit buggy right now. I did a little more poking around.
To manage the new connection mac behavior, you can set these in /etc/NetworkManager/NetworkManager.conf:
[connection-mac-randomization]
ethernet.cloned-mac-address=permanent
wifi.cloned-mac-address=permanent
^^ While these generally behave as expected when specified in your config, I'm finding two new things in net-misc/networkmanager-1.18.4-r2:
#1 By default, wifi.cloned-mac-address=random
#2 By default, ethernet.cloned-mac-address=random, but ONLY if you don't have a physical wifi adapter installed on your machine.
I can't find any reference to #2 behavior being intentional... as the man page clearly states:
ethernet.cloned-mac-address
If left unspecified, it defaults to "preserve".
1 - is arguably a security improvement though we really should push a news release rather than changing this suddenly.
2 - is going to cause a lot of pain.
Worth noting the man page still says this too:
wifi.cloned-mac-address
If left unspecified, it defaults to "preserve".
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dd136550a692e1e6aed4313e6059cb4ab958dfbf commit dd136550a692e1e6aed4313e6059cb4ab958dfbf Author: Mart Raudsepp <leio@gentoo.org> AuthorDate: 2020-01-21 08:46:50 +0000 Commit: Mart Raudsepp <leio@gentoo.org> CommitDate: 2020-01-21 08:47:03 +0000 net-misc/networkmanager: back out the privacy changes for now Bug: https://bugs.gentoo.org/705960 Package-Manager: Portage-2.3.79, Repoman-2.3.12 Signed-off-by: Mart Raudsepp <leio@gentoo.org> ...{networkmanager-1.18.4-r2.ebuild => networkmanager-1.18.4-r3.ebuild} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) I tried many things to keep a stable mac but only the last helped, using: generate-mac-address-mask This is the paragraph in my wifi connection setup: --- [802-11-wireless] ssid=dachsuli bssid=94:4A:0C:63:BA:22 wifi.cloned-mac-address=preserve generate-mac-address-mask=FF:FF:FF:FF:FF:FF assigned-mac-address=00:26:08:ed:96:26 mac-address=00:26:08:ed:96:26 mac-address-randomization=0 mode=infrastructure --- When looking into the code of networkmanager, not me wonders that there is chaos in nm settings .... :( This is super odd, the installed files should have generated a stable mac address per connection. Either network manager is fully broken (I've tested and it doesn't appear to be) or something else is going on here. https://github.com/NetworkManager/NetworkManager/blob/master/examples/nm-conf.d/30-anon.conf I see a lot of comments about how the mac address changes, but none specific to this not working exactly as intended (the same random mac address per connection). Additionally, backing out 31-mac-addr-change.conf does the OPPOSITE and allows the default mac randomization during scanning which breaks on a bunch of known drivers. Please don't equate the two changes and back both out. Please restore 31-mac-addr-change.conf as soon as possible to fix these broken drivers. my git repo was out of date, the mac randomization disable for known broken driver is in there. apologies for the confusion I realise this has been reverted now, but I couldn't connect to the internet on my HyperV Gentoo image which caused major headaches until I found the cause. I'm still not sure why it wasn't working Created attachment 604058 [details]
MAC Range
I think I've found it, there's a global setting inside the Virtual Switches
Perhaps the randomised numbers weren't inside that range?
(In reply to Mike Lothian from comment #15) > Created attachment 604058 [details] > MAC Range > > I think I've found it, there's a global setting inside the Virtual Switches > > Perhaps the randomised numbers weren't inside that range? Yes, therefore in your case: generate-mac-address-mask=FF:FF:FF:FF:FF:00 |
