sensitive config files are world-readable

Bug #1862600 reported by Rolf Leggewie
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
netplan.io (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

$ ll /etc/netplan/0*
-rw-r--r-- 1 root root 49 Apr 11 2018 /etc/netplan/00-network-manager.yaml
-rw-r--r-- 1 root root 293 Apr 11 2018 /etc/netplan/01-netcfg.yaml

/etc/netplan/01-netcfg.yaml in my config contains the wifi password. Booh!

Rolf Leggewie (r0lf)
tags: added: community-security
Alex Murray (alexmurray)
affects: plan (Ubuntu) → netplan.io (Ubuntu)
Alex Murray (alexmurray)
information type: Public → Public Security
tags: removed: community-security
Changed in netplan.io (Ubuntu):
status: New → Confirmed
tags: added: rls-ff-incoming
tags: added: rls-bb-incoming
removed: rls-ff-incoming
Revision history for this message
Lukas Märdian (slyon) wrote :

We actually want to recommend the usage of mode 600 (-rw-------), i.e. owner (root) read-only, from a Netplan POV.

And updated our internal code accordingly, in addition to printing a warning if more open permissions are being used: https://github.com/canonical/netplan/pull/300

Changed in netplan.io (Ubuntu):
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package netplan.io - 0.106-0ubuntu1

---------------
netplan.io (0.106-0ubuntu1) lunar; urgency=medium

  * New upstream release: 0.106
    - New 'netplan status' CLI (#290)
    - API: implement APIs from the new specification (#298)
    - Check and fix non-inclusive laguange (#303)
    - Documentation improvements (using Diátaxis & RTD)
    - Match by PermanentMACAddress (#278)
    - Netplan api iterator (#306)
    - API: update netplan_delete_connection() (#322)
    - NM 1.40 compat & file permission fixes (#300), LP: #1862600, LP: #1997348
    - Migrate from (deprecated) nose to pytest (#302)
    - parse: Add the filepath to OVS ports netdefs (#295)
    - Check if the interface name is too long (#313), LP: #1988749
    - doc/examples: remove unnecessary route for IPv6 on-link gateways (#312)
    - Memory leak CI action (#321)
    - tests:base:ethernets: Improve stability of autopkgtests (#223)
    Bug fixes:
    - Fix some memory leaks (#297)
    - parser: plug a memory leak (#309)
    - src:parse: plug memory leaks in nullable handling (#319)
    - Fix 'netplan ip leases' crash (#301), LP: #1996941
    - tests: mock calls to systemctl (#314)
    - ctests: fix an integer conversion issue (#315)
    - docs: small fix on netplan-set doc (#316)
    - parser: return the correct error on failure (#308), LP: #2000324
    - apply: Fix crash when OVS is stopped (#307),LP: #1995598
    - networkd: make sure VXLAN is in the right section (#310), LP: #2000713
    - cli:set: update only specific origin-hint if given (#299), LP: #1997467
    - vxlan: convert some settings to tristate (#311), LP: #2000712
    - parser: check for route duplicates (#320), LP: #2003061
  * Update symbols file for 0.106
  * d/patches/: Drop patches, applied upstream
  * d/control: bump Standards-Version to 4.6.2, no changes needed
  * d/t/control: prepare Debian testbed
  * d/control: Add python3-dbus, python3-rich deps, also CMocka and Pytest B-Ds
  * d/watch: fix checking for upstream tags
  * d/copyright: update for 2023
  * d/source/: add lintian-overrides

 -- Lukas Märdian <email address hidden> Thu, 09 Feb 2023 12:10:19 +0100

Changed in netplan.io (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.