[OpenWrt-Devel] Possible security issue
Joel Wirāmu Pauling
joel at aenertia.net
Sat Apr 18 22:22:01 EDT 2020
I'm sorry for wading into this. As with any security related discussion
strawpeople can be made to support any particular thread pulling into
infinity.
Would I love to see namespaces used as part of the base Openwrt
architecture; absolutely. It's been discussed in the past; routing in
particular would benefit immensely from this ; use of different routing
table ID's is a step towards that, but complications like passing device
id's in and out of namespaces however for the switch side of things is
problematic and adds additional overhead as will it introduce issues at the
expense of separation and flexibility.
That potentially could mitigate some of your concerns, but I feel the
preposition for me is openwrt is not multi-user by default OOTB for most
(if not all) targets; and if you want it to be you can.
So fiddling inode bitmasks is not addressing anything IMNSHO because of
that fact.
On Sat, 18 Apr 2020 at 00:50, Wes Turner <wes.turner at gmail.com> wrote:
> From a least privileges perspective:
>
> - chmod o-rwx /var/run/hostapd-phyX.conf
> - chmod o-x uci # setfacl?
>
> Compromise of a service running as a different user should not result in
> disclosure of sensitive keys only necessary for different services.
>
> https://openwrt.org/docs/guide-user/security/security-features mentions
> procd jail / chroot?
>
> AFAIU, LXC is not available in the default kernel builds in any router?
> LXC would be an additional layer of defenses over and above chroot, which
> isn't seccomp
>
> On Fri, Apr 17, 2020, 5:13 AM Joel Wirāmu Pauling <joel at aenertia.net>
> wrote:
>
>> No. If you have physical access to the node and/or a valid login as Admin
>> then any form of PSK is vulnerable.
>>
>> If you are concerned about PSK's being exposed then you have the option
>> to run 802.1x auth and issue issues tokens out of radius/IDM that is
>> secured elsewhere than on the AP itself.
>>
>> On Fri, 17 Apr 2020 at 20:16, e9hack <e9hack at gmail.com> wrote:
>>
>>> Hi,
>>>
>>> the configuration files for hostapd (/var/run/hostapd-phyX.conf) are
>>> readable for everyone. This means everyone can read the wifi passwords. If
>>> a non privileged user calls 'uci show wireless', he will also get all wifi
>>> passwords. This possible e.g. for user nobody and dnsmasq.
>>>
>>> Is this a a security issue?
>>>
>>> Regards,
>>> Hartmut
>>>
>>> _______________________________________________
>>> openwrt-devel mailing list
>>> openwrt-devel at lists.openwrt.org
>>> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
>>>
>> _______________________________________________
>> openwrt-devel mailing list
>> openwrt-devel at lists.openwrt.org
>> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20200419/9048eb6f/attachment.htm>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list