No subject


Thu Jun 25 05:52:11 EDT 2020 

- chmod o-rwx /var/run/hostapd-phyX.conf
- chmod o-x uci # setfacl?

Compromise of a service running as a different user should not result in
disclosure of sensitive keys only necessary for different services.

https://openwrt.org/docs/guide-user/security/security-features mentions
procd jail / chroot?

AFAIU, LXC is not available in the default kernel builds in any router? LXC
would be an additional layer of defenses over and above chroot, which isn't
seccomp

On Fri, Apr 17, 2020, 5:13 AM Joel Wir=C4=81mu Pauling <joel at aenertia.net> =
wrote:

> No. If you have physical access to the node and/or a valid login as Admin
> then any form of PSK is vulnerable.
>
> If you are concerned about PSK's being exposed then you have the option t=
o
> run 802.1x auth and issue issues tokens out of radius/IDM that is secured
> elsewhere than on the AP itself.
>
> On Fri, 17 Apr 2020 at 20:16, e9hack <e9hack at gmail.com> wrote:
>
>> Hi,
>>
>> the configuration files for hostapd (/var/run/hostapd-phyX.conf) are
>> readable for everyone. This means everyone can read the wifi passwords. =
If
>> a non privileged user calls 'uci show wireless', he will also get all wi=
fi
>> passwords. This possible e.g. for user nobody and dnsmasq.
>>
>> Is this a a security issue?
>>
>> Regards,
>> Hartmut
>>
>> _______________________________________________
>> openwrt-devel mailing list
>> openwrt-devel at lists.openwrt.org
>> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
>>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
>

--0000000000009679ec05a37bff78
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"auto"><div>From a least privileges perspective:</div><div dir=
=3D"auto"><br></div><div dir=3D"auto">- chmod o-rwx /var/run/hostapd-phyX.c=
onf</div><div dir=3D"auto">- chmod o-x uci # setfacl?=C2=A0</div><div dir=
=3D"auto"><br></div><div dir=3D"auto">Compromise of a service running as a =
different user should not result in disclosure of sensitive keys only neces=
sary for different services.=C2=A0</div><div dir=3D"auto"><br></div><div di=
r=3D"auto"><a href=3D"https://openwrt.org/docs/guide-user/security/security=
-features">https://openwrt.org/docs/guide-user/security/security-features</=
a> mentions procd jail / chroot?<br></div><div dir=3D"auto"><br></div><div =
dir=3D"auto">AFAIU, LXC is not available in the default kernel builds in an=
y router? LXC would be an additional layer of defenses over and above chroo=
t, which isn't seccomp</div><div dir=3D"auto"><br><div class=3D"gmail_q=
uote" dir=3D"auto"><div dir=3D"ltr" class=3D"gmail_attr">On Fri, Apr 17, 20=
20, 5:13 AM Joel Wir=C4=81mu Pauling <<a href=3D"mailto:joel at aenertia.ne=
t">joel at aenertia.net</a>> wrote:<br></div><blockquote class=3D"gmail_quo=
te" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"=
><div dir=3D"ltr"><div class=3D"gmail_default" style=3D"font-family:verdana=
,sans-serif">No. If you have physical access to the node and/or a valid log=
in as Admin then any form of PSK is vulnerable. <br></div><div class=3D"gma=
il_default" style=3D"font-family:verdana,sans-serif"><br></div><div class=
=3D"gmail_default" style=3D"font-family:verdana,sans-serif">If you are conc=
erned about PSK's being exposed then you have the option to run 802.1x =
auth and issue issues tokens out of radius/IDM that is secured elsewhere th=
an on the AP itself.=C2=A0<br></div></div><br><div class=3D"gmail_quote"><d=
iv dir=3D"ltr" class=3D"gmail_attr">On Fri, 17 Apr 2020 at 20:16, e9hack &l=
t;<a href=3D"mailto:e9hack at gmail.com" target=3D"_blank" rel=3D"noreferrer">=
e9hack at gmail.com</a>> wrote:<br></div><blockquote class=3D"gmail_quote" =
style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);pa=
dding-left:1ex">Hi,<br>
<br>
the configuration files for hostapd (/var/run/hostapd-phyX.conf) are readab=
le for everyone. This means everyone can read the wifi passwords. If a non =
privileged user calls 'uci show wireless', he will also get all wif=
i passwords. This possible e.g. for user nobody and dnsmasq.<br>
<br>
Is this a a security issue?<br>
<br>
Regards,<br>
Hartmut<br>
<br>
_______________________________________________<br>
openwrt-devel mailing list<br>
<a href=3D"mailto:openwrt-devel at lists.openwrt.org" target=3D"_blank" rel=3D=
"noreferrer">openwrt-devel at lists.openwrt.org</a><br>
<a href=3D"https://lists.openwrt.org/mailman/listinfo/openwrt-devel" rel=3D=
"noreferrer noreferrer" target=3D"_blank">https://lists.openwrt.org/mailman=
/listinfo/openwrt-devel</a><br>
</blockquote></div>
_______________________________________________<br>
openwrt-devel mailing list<br>
<a href=3D"mailto:openwrt-devel at lists.openwrt.org" target=3D"_blank" rel=3D=
"noreferrer">openwrt-devel at lists.openwrt.org</a><br>
<a href=3D"https://lists.openwrt.org/mailman/listinfo/openwrt-devel" rel=3D=
"noreferrer noreferrer" target=3D"_blank">https://lists.openwrt.org/mailman=
/listinfo/openwrt-devel</a><br>
</blockquote></div></div></div>

--0000000000009679ec05a37bff78--


--===============7597855316165154162==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

--===============7597855316165154162==--

More information about the openwrt-devel mailing list