Date: Thu, 14 Jul 2005 15:19:57 -0700 From: Sam Leffler <sam@errno.com> To: Robert Watson <rwatson@FreeBSD.org> Cc: cvs-src@FreeBSD.org, src-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sbin/ifconfig ifconfig.8 ifconfig.c ifconfig.h ifieee80211.c Message-ID: <42D6E50D.6000606@errno.com> In-Reply-To: <20050714225706.Q35071@fledge.watson.org> References: <200507141833.j6EIXLPA001703@repoman.freebsd.org> <42D6DD30.6020900@errno.com> <20050714224327.O35071@fledge.watson.org> <42D6E001.1020001@errno.com> <20050714225706.Q35071@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Robert Watson wrote: > > On Thu, 14 Jul 2005, Sam Leffler wrote: > >> As to printing sensitive material I question how important this is. >> If it's a wep key it's trivially cracked by other means. If it's a >> WPA or 802.1x key then it's rotated frequently and, for WPA at least, >> protected by addiitonal means that makes grabbing it via screen-scrape >> much less useful (only the GTK is displayed for WPA, not the PTK which >> is potentially more sensitive). If you want to improve the situation >> for disclosing sensitive info then we should work on adding keychain >> style storage for sensitive info like static keys and wpa-psk's. >> >> So I guess my argument against this is you're changing long-standing >> behaviour w/ little benefit. > > > Sorry about committing it over your objection -- I obviously > misremembered the degree to which you disagreed with the proposed > change. I'm willing to back it out, but not happy about the idea. > Here's my view on things: > > Either the key is sensitive, or it's not. If it's not, then why are we > checking for root privilege? If it is, why are we printing it without > being asked to? > > I'm a fan of the model that says ifconfig(8) manages all the properties > of the network interface. However, part of ifconfig(8) managing more > complex properties of those interfaces is that it has to respect the > sensitivity of the data it handles. This never came up before for > ifconfig(8) because we didn't consider any of the data it handled > sensitive. Running "ifconfig" or "ifconfig -a" is a fairly common > administrator activity to check the configuration of the system. When > it comes to people looking over your shoulder, scroll-back, > /var/log/console.log, or dmesg -a output, I would prefer that keying > material not appear there unless specifically requested. > > As to historical behavior -- I've been complaining even since that > behavior with ifconfig(8) since I first noticed it, as you pointed out. > I think wicontrol's behavior was improper also, but at least it wasn't > printed out automatically every time the system booted, or every time I > check to see if I have an association. You didn't point out keys were being printed on boot (so it goes in /var/log/messages etc.). In that case I'm fine with this change. Sam
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42D6E50D.6000606>