nmcli: writing secrets to command line is a security hole (#3160)

* nmcli: use `stdin` for setting private `wifi_sec` options I.E.: * `802-11-wireless-security.leap-password` * `802-11-wireless-security.psk` * `802-11-wireless-security.wep-key0` * `802-11-wireless-security.wep-key1` * `802-11-wireless-security.wep-key2` * `802-11-wireless-security.wep-key3` * Changelog fragement formatting. * Update changelogs/fragments/3160-pass-wifi-secrets-via-stdin-to-nmcli-module.yml Co-authored-by: Felix Fontein <felix@fontein.de> * Make `wifi_sec_secret_options()` into a constant * Minor cleanup `'set ' + key + ' ' + value` => `'set %s %s' % (key, value)` * Change `casing` * Change `WIFI_SEC_SECRET_OPTIONS` from `list` to `tuple` * Update `edit_connection()` to not reset `edit_commands` It will just re`set` them if `edit_connection()` is called more than once. * Do not call `edit_connection()` if `connection_update(*)` fails * Fixed `pep8` issue `E713` in tests `test for membership should be 'not in'` * Simplify `create_connection()`/`modify_connection()` logic * `WIFI_SEC_SECRET_OPTIONS`=>`SECRET_OPTIONS`, options are prefixed * Moved `if key in self.SECRET_OPTIONS` into `if value is not None` check We don't need to do anything is the value is None Co-authored-by: Felix Fontein <felix@fontein.de>
2025-04-25 03:41:25 -07:00 · 2021-08-08 09:35:52 -07:00 · 2021-08-08 09:35:52 -07:00 · 7f96b7df60
commit 7f96b7df60
parent 2831bc45f5
3 changed files with 166 additions and 3 deletions
--- a/plugins/modules/net_tools/nmcli.py
+++ b/plugins/modules/net_tools/nmcli.py
@ -709,6 +709,15 @@ class Nmcli(object):
    platform = 'Generic'
    distribution = None

+    SECRET_OPTIONS = (
+        '802-11-wireless-security.leap-password',
+        '802-11-wireless-security.psk',
+        '802-11-wireless-security.wep-key0',
+        '802-11-wireless-security.wep-key1',
+        '802-11-wireless-security.wep-key2',
+        '802-11-wireless-security.wep-key3'
+    )
+
    def __init__(self, module):
        self.module = module
        self.state = module.params['state']
@ -792,6 +801,8 @@ class Nmcli(object):
        else:
            self.ipv6_method = None

+        self.edit_commands = []
+
    def execute_command(self, cmd, use_unsafe_shell=False, data=None):
        if isinstance(cmd, list):
            cmd = [to_text(item) for item in cmd]
@ -1079,12 +1090,17 @@ class Nmcli(object):
        # Constructing the command.
        for key, value in options.items():
            if value is not None:
+                if key in self.SECRET_OPTIONS:
+                    self.edit_commands += ['set %s %s' % (key, value)]
+                    continue
                cmd.extend([key, value])

        return self.execute_command(cmd)

    def create_connection(self):
        status = self.connection_update('create')
+        if status[0] == 0 and self.edit_commands:
+            status = self.edit_connection()
        if self.create_connection_up:
            status = self.up_connection()
        return status
@ -1105,7 +1121,15 @@ class Nmcli(object):
        return self.execute_command(cmd)

    def modify_connection(self):
-        return self.connection_update('modify')
+        status = self.connection_update('modify')
+        if status[0] == 0 and self.edit_commands:
+            status = self.edit_connection()
+        return status
+
+    def edit_connection(self):
+        data = "\n".join(self.edit_commands + ['save', 'quit'])
+        cmd = [self.nmcli_bin, 'con', 'edit', self.conn_name]
+        return self.execute_command(cmd, data=data)

    def show_connection(self):
        cmd = [self.nmcli_bin, '--show-secrets', 'con', 'show', self.conn_name]