Date: Thu, 14 Jul 2005 23:08:14 +0100 (BST) From: Robert Watson <rwatson@FreeBSD.org> To: Sam Leffler <sam@errno.com> Cc: cvs-src@FreeBSD.org, src-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sbin/ifconfig ifconfig.8 ifconfig.c ifconfig.h ifieee80211.c Message-ID: <20050714225706.Q35071@fledge.watson.org> In-Reply-To: <42D6E001.1020001@errno.com> References: <200507141833.j6EIXLPA001703@repoman.freebsd.org> <42D6DD30.6020900@errno.com> <20050714224327.O35071@fledge.watson.org> <42D6E001.1020001@errno.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 14 Jul 2005, Sam Leffler wrote: > As to printing sensitive material I question how important this is. If > it's a wep key it's trivially cracked by other means. If it's a WPA or > 802.1x key then it's rotated frequently and, for WPA at least, protected > by addiitonal means that makes grabbing it via screen-scrape much less > useful (only the GTK is displayed for WPA, not the PTK which is > potentially more sensitive). If you want to improve the situation for > disclosing sensitive info then we should work on adding keychain style > storage for sensitive info like static keys and wpa-psk's. > > So I guess my argument against this is you're changing long-standing > behaviour w/ little benefit. Sorry about committing it over your objection -- I obviously misremembered the degree to which you disagreed with the proposed change. I'm willing to back it out, but not happy about the idea. Here's my view on things: Either the key is sensitive, or it's not. If it's not, then why are we checking for root privilege? If it is, why are we printing it without being asked to? I'm a fan of the model that says ifconfig(8) manages all the properties of the network interface. However, part of ifconfig(8) managing more complex properties of those interfaces is that it has to respect the sensitivity of the data it handles. This never came up before for ifconfig(8) because we didn't consider any of the data it handled sensitive. Running "ifconfig" or "ifconfig -a" is a fairly common administrator activity to check the configuration of the system. When it comes to people looking over your shoulder, scroll-back, /var/log/console.log, or dmesg -a output, I would prefer that keying material not appear there unless specifically requested. As to historical behavior -- I've been complaining even since that behavior with ifconfig(8) since I first noticed it, as you pointed out. I think wicontrol's behavior was improper also, but at least it wasn't printed out automatically every time the system booted, or every time I check to see if I have an association. Robert N M Watson
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050714225706.Q35071>