Re: Poisontap security issue of NetworkManager?

From: Claudius Heine <ch denx de>
To: "Stuart D. Gathman" <stuart gathman org>
Cc: Lubomir Rintel <lrintel redhat com>, networkmanager-list gnome org
Subject: Re: Poisontap security issue of NetworkManager?
Date: Tue, 22 Nov 2016 07:57:15 +0100

On 21.11.2016 22:02, Stuart D. Gathman wrote:

On Mon, 21 Nov 2016, Claudius Heine wrote:

On 21.11.2016 13:07, Lubomir Rintel wrote:

On Thu, 2016-11-17 at 12:10 +0100, Claudius Heine wrote:

I think the main issue is, that the network device is automatically
setup via dhcp by tools like NetworkManager & co.


That is a feature. You generally want network connectivity when you
plugin a network adapter with a cable in it.


Yes. And a nice one ;)


It's a nice feature when working at the computer.  What poisontap
is complaining about, however, is that USB ports should not do anything
automatically while the screen is locked.

Now, for a workstation, yes you pretty much want "Lock Screen" to lock
everything down, including USB ports.

However, for a server, you might want an end user to plug in a USB
device during your remote support session without logging in to the
console.

In any case, if there is anything done to lock more than the screen
and keyboard, I think it should be at the udev level - not in
NetworkManager.  The lockscreen/screensaver app needs to tell udev
to stop activating things until unlocked.


If its possible to prevent using an existing ethernet port with dhcp
profile for poisontap while the desktop is locked, why not.
But I don't think that is possible. At least udev doesn't trigger any
events when re-plugging the ethernet cable.

IMO that is only possible if NetworkManager would stop dhcpclient on
every network (maybe only ethernet) interface while the desktop is
locked and start it again when its unlocked. This would allow all
existing connections to persist, but avoids any new connections while
the user is away.

Meanwhile, I have to keep taking my laptop into the restroom...


Lucky you, when you have a portable device. Unlucky people using the
computer rooms in university etc. They have to keep it in, until they
are finished and can logout. ;)

Cheers,
Claudius

-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-54 Fax: (+49)-8142-66989-80 Email: ch denx de

           PGP key: 6FF2 E59F 00C6 BC28 31D8 64C1 1173 CB19 9808 B153
                             Keyserver: hkp://pool.sks-keyservers.net

References:
- Poisontap security issue of NetworkManager?
  - From: Claudius Heine
- Re: Poisontap security issue of NetworkManager?
  - From: Lubomir Rintel
- Re: Poisontap security issue of NetworkManager?
  - From: Claudius Heine
- Re: Poisontap security issue of NetworkManager?
  - From: Stuart D. Gathman

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]