search

guysoft / OctoPi

Scripts to build OctoPi, a Raspberry PI distro for controlling 3D printers over the web
GNU General Public License v3.0
2.45k stars 367 forks source link

octopi-wpa-supplicant.txt should not remain world readable past first boot #773

Open JoveToo opened 2 years ago

JoveToo commented 2 years ago

Hi,

currently, the wireless password is passed into a fresh image by using octopi-wpa-supplicant.txt, this is fine. However, this file is world readable and can be read by anyone that can log into the device. Having files with passwords being world-readable is bad practice.

I would like to propose that on first boot, this file is copied to /etc/wpa_supplicant directory, make readable only by wpa_supplicant (root) and then removed from the /boot partition.

~Changes for this should be trivial.~

foosel commented 2 years ago

Please never ever state that any kind of changes on a project you are not intimately familiar with should be trivial.

JoveToo commented 2 years ago

Point taken.

Whatever boot up script exists for wpa_supplication could check for this and execute the commands.

guysoft commented 2 years ago

At the moment I see no reason to change it since its the actual reason why OctoPi became so widely used in the first place. Because it means you can configure it headless in every system out there. Removing a setting from the /boot partition was a solution RPi foundation came up with AFTER we set the setting at boot. And it was not adopted, my guess is because when you edit something and it vanishes, most likely with an error typo and does not work its not reliable.

This feature is part of CustomPiOS which has a few other distros using it, and none of those had this issue posted neither. Its a bit of a case of this: https://xkcd.com/2044/ In general you could only exploit this if you have a device on the network with the Pi that doesn't actually know the wifi settings to the Pi (ethernet?).

I am considering leaving this open to see if other people chime in and say that this is more of a security issue than I think it is.

JoveToo commented 2 years ago

It may be better to just do this if wpa_supplicant successfully associated to the network: then it will only disappear if it works.

It is more complex though.

guysoft commented 2 years ago

I am strongly against the idea of user putting their time to write a file, make sure its formatted correctly and then delete it. I speak from painful experience of filling in these config files for testing.