Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Insecure permissions for configuration file holding hashed password & plaintext WiFi password #770

Open
ricardobranco777 opened this issue Dec 30, 2023 · 3 comments · May be fixed by #772
Open

[BUG] Insecure permissions for configuration file holding hashed password & plaintext WiFi password #770

ricardobranco777 opened this issue Dec 30, 2023 · 3 comments · May be fixed by #772
Assignees
@tdewey-rpi
Labels
bug Something isn't working

Comments

@ricardobranco777
Copy link

Describe the bug

The configuration file which holds the hashed & plaintext WiFi has insecure permissions by default.

To Reproduce

on Linux:

$ ls -l "$HOME/.config/Raspberry Pi/Imager.conf"
-rw-rw-r--. 1 ricardo ricardo 775 Nov 19 12:13 Imager.conf
$ grep Password "$HOME/.config/Raspberry Pi/Imager.conf"
sshUserPassword=$5$xxx
wifiPassword=xxx

Expected behaviour

0600 permissions.
@ricardobranco777 ricardobranco777 added the bug Something isn't working label Dec 30, 2023
@tdewey-rpi tdewey-rpi self-assigned this Jan 2, 2024
@tdewey-rpi
Copy link
Collaborator

Thanks for the report, @ricardobranco777.

I can confirm I see the same, and will address this in a patch later this week.

tdewey-rpi added a commit to tdewey-rpi/rpi-imager that referenced this issue Jan 5, 2024
@tdewey-rpi
imagewriter: Force permissions on settings to 600
80768f3 
Use this mechanism to replace an older scheme that fully read and then fully wrote the file.

Resolves raspberrypi#770
@tdewey-rpi tdewey-rpi linked a pull request Jan 5, 2024 that will close this issue
Open
@audas
Copy link

audas commented Mar 2, 2024

Was under the impression that if we just re-used the passwords that were set in the imager that they would be correct - but they are not working for SSH.

So if I re-use a password for another Pi it is wrong as it has been hashed.

However the WiFi password remains correct???

@tdewey-rpi
Copy link
Collaborator

Was under the impression that if we just re-used the passwords that were set in the imager that they would be correct - but they are not working for SSH.

So if I re-use a password for another Pi it is wrong as it has been hashed.

However the WiFi password remains correct???

@audas This sounds like a different problem, but also one that I would expect to be true, as I don't know if SSH uses the same hashing scheme as WPA-PSK. Please raise unique issues for unique problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tdewey-rpi tdewey-rpi

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

imagewriter: Force permissions on settings to 600 tdewey-rpi/rpi-imager
3 participants
@audas @ricardobranco777 @tdewey-rpi