Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 264000 - =net-wireless/wpa_supplicant has world readable default configuration file
Summary: =net-wireless/wpa_supplicant has world readable default configuration file
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Default Configs (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa]
Depends on:
Reported: 2009-03-27 20:53 UTC by Kobboi
Modified: 2016-03-13 11:33 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Kobboi 2009-03-27 20:53:33 UTC
The default configuration, /etc/wpa_supplicant/wpa_supplicant.conf, is world-readable, which seems to be a security threat.

Reproducible: Always
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-03-30 18:20:03 UTC
wpa_supplicant is running as root, so only root needs to read that file. i can reproduce this on 0.6.8 (which is not yet in the tree :-)
Comment 2 David J Cozatt 2010-09-01 00:15:50 UTC
same for net-wireless/wpa_supplicant-0.7.2-r3 

this file contains keys and passwords. Needs fixing. 

Checking the ebuild something similar to this?

+	# fix rights in etc/asterisk before installing to /etc/asterisk
+	cd "${D}";
+	for confile in etc/asterisk/*.*; do
+		fowners asterisk:asterisk $confile;
+		fperms 0660 $confile;
+	done;
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-13 11:33:08 UTC
Passwords are no longer stored in this file so this issue has been mitigated.  The conf file is now used as a dbus configuration.  Closing as noglsa due to age.