Leaks wireguard keys
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
netplan.io (Ubuntu) |
Fix Released
|
High
|
Unassigned |
Bug Description
My netplan configuration is mode 600 (root read-write only), as it contains a wireguard VPN configuration, including a private key. Unfortunately, while netplan renders the wireguard interface correctly, it does so with world-readable files in /run/systemd/
1. Generate wireguard key-pair on client: wg genkey | tee key | wg pubkey > key.pub
2. cat key
+I55zxsqXrV7m
3. cat key.pub
RwBIJkrps+
4. Configure netplan with wireguard client configuration (/etc/netplan/
network:
version: 2
ethernets:
eth0:
dhcp4: true
tunnels:
wg0:
mode: wireguard
optional: true
key: +I55zxsqXrV7mZ0
addresses:
- 192.168.2.5/24
search: [waveform.org.uk]
routes:
- to: 192.168.2.0/24
peers:
- allowed-ips:
- 192.168.2.0/24
keys:
5. Run sudo netplan apply
6. Check modes of netplan configuration and the generated configuration under /run/systemd/
$ ls -l /etc/netplan/
-rw------- 1 root root 900 May 13 17:16 50-cloud-init.yaml
$ ls -l /run/systemd/
-rw-r--r-- 1 root root 246 Apr 19 15:25 10-netplan-
-rw-r--r-- 1 root root 194 Apr 19 15:25 10-netplan-
7. Check your private key in /run/systemd/
$ sudo grep key: /etc/netplan/
key: +I55zxsqXrV7mZ0
$ grep PrivateKey= /run/systemd/
PrivateKey=
(the keys above are ephemeral ones I generated for the purpose of this report; they're not secret and can be exposed without harm)
Related branches
- Lukas Märdian: Approve
- Ubuntu Core Development Team: Pending requested
-
Diff: 2060 lines (+2000/-1)8 files modifieddebian/changelog (+20/-1)
debian/netplan-generator.postinst (+15/-0)
debian/patches/lp2065738/0012-cli-generate-call-daemon-reload-after-generate.patch (+82/-0)
debian/patches/lp2065738/0013-libnetplan-use-more-restrictive-file-permissions.patch (+435/-0)
debian/patches/lp2066258/0014-libnetplan-escape-control-characters.patch (+863/-0)
debian/patches/lp2066258/0015-backends-escape-file-paths.patch (+288/-0)
debian/patches/lp2066258/0016-backends-escape-semicolons-in-service-units.patch (+292/-0)
debian/patches/series (+5/-0)
- Lukas Märdian: Approve
- Ubuntu Core Development Team: Pending requested
-
Diff: 1961 lines (+1912/-0)7 files modifieddebian/changelog (+15/-0)
debian/netplan-generator.postinst (+15/-0)
debian/patches/lp2065738/0013-libnetplan-use-more-restrictive-file-permissions.patch (+435/-0)
debian/patches/lp2066258/0014-libnetplan-escape-control-characters.patch (+863/-0)
debian/patches/lp2066258/0015-backends-escape-file-paths.patch (+288/-0)
debian/patches/lp2066258/0016-backends-escape-semicolons-in-service-units.patch (+292/-0)
debian/patches/series (+4/-0)
ACK. There's also a warning about it in the journal:
systemd- networkd[ 537]: /run/systemd/ network/ 10-netplan- home0.netdev has 0644 mode that is too permissive, please adjust the ownership and access mode.
See FR-2634 and bug #1987842