Re: hide wpakey from root by default

Mon, 27 Nov 2017 11:11:28 -0800 

On Mon, Nov 27 2017, Stefan Sperling <[email protected]> wrote:
> On Mon, Nov 27, 2017 at 02:33:59AM +0100, Stefan Sperling wrote:
>> Most people I've talked to seem to be OK with never exposing
>> these secrets to userland in the first place.

Makes sense.

> Better diff for the wireless part.
> WEP keys showed up as 0x00000... instead of '<not displayed>' in
> the previous diff.

Yep.  ifconfig(8) already handles EPERM properly.  We can also kill dead
code in ifconfig(8) (see diff below).  I guess that a bunch of wireless
management scripts, which parse the output of ifconfig(8) ran as root,
won't expect the <> notation, but we can live with this IMO.

ok jca@ (carp, sppp + revised 80211 changes)


Index: ifconfig.c
===================================================================
RCS file: /d/cvs/src/sbin/ifconfig/ifconfig.c,v
retrieving revision 1.351
diff -u -p -p -u -r1.351 ifconfig.c
--- ifconfig.c  17 Nov 2017 18:04:51 -0000      1.351
+++ ifconfig.c  27 Nov 2017 18:56:12 -0000
@@ -2124,70 +2124,12 @@ ieee80211_status(void)
                }
        }
 
-       if (inwkey == 0 && nwkey.i_wepon > IEEE80211_NWKEY_OPEN) {
-               fputs(" nwkey ", stdout);
-               /* try to retrieve WEP keys */
-               for (i = 0; i < IEEE80211_WEP_NKID; i++) {
-                       nwkey.i_key[i].i_keydat = keybuf[i];
-                       nwkey.i_key[i].i_keylen = sizeof(keybuf[i]);
-               }
-               if (ioctl(s, SIOCG80211NWKEY, (caddr_t)&nwkey) == -1) {
-                       fputs("<not displayed>", stdout);
-               } else {
-                       nwkey_verbose = 0;
-                       /*
-                        * check to see non default key
-                        * or multiple keys defined
-                        */
-                       if (nwkey.i_defkid != 1) {
-                               nwkey_verbose = 1;
-                       } else {
-                               for (i = 1; i < IEEE80211_WEP_NKID; i++) {
-                                       if (nwkey.i_key[i].i_keylen != 0) {
-                                               nwkey_verbose = 1;
-                                               break;
-                                       }
-                               }
-                       }
-                       /* check extra ambiguity with keywords */
-                       if (!nwkey_verbose) {
-                               if (nwkey.i_key[0].i_keylen >= 2 &&
-                                   isdigit((unsigned 
char)nwkey.i_key[0].i_keydat[0]) &&
-                                   nwkey.i_key[0].i_keydat[1] == ':')
-                                       nwkey_verbose = 1;
-                               else if (nwkey.i_key[0].i_keylen >= 7 &&
-                                   strncasecmp("persist",
-                                   (char *)nwkey.i_key[0].i_keydat, 7) == 0)
-                                       nwkey_verbose = 1;
-                       }
-                       if (nwkey_verbose)
-                               printf("%d:", nwkey.i_defkid);
-                       for (i = 0; i < IEEE80211_WEP_NKID; i++) {
-                               if (i > 0)
-                                       putchar(',');
-                               if (nwkey.i_key[i].i_keylen < 0) {
-                                       fputs("persist", stdout);
-                               } else {
-                                       /*
-                                        * XXX
-                                        * sanity check nwkey.i_key[i].i_keylen
-                                        */
-                                       print_string(nwkey.i_key[i].i_keydat,
-                                           nwkey.i_key[i].i_keylen);
-                               }
-                               if (!nwkey_verbose)
-                                       break;
-                       }
-               }
-       }
+       if (inwkey == 0 && nwkey.i_wepon > IEEE80211_NWKEY_OPEN)
+               fputs(" nwkey <not displayed>", stdout);
+
+       if (ipsk == 0 && psk.i_enabled)
+               fputs(" wpakey <not displayed>", stdout);
 
-       if (ipsk == 0 && psk.i_enabled) {
-               fputs(" wpakey ", stdout);
-               if (psk.i_enabled == 2)
-                       fputs("<not displayed>", stdout);
-               else
-                       print_string(psk.i_psk, sizeof(psk.i_psk));
-       }
        if (iwpa == 0 && wpa.i_enabled) {
                const char *sep;
 

-- 
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Reply via email to