[Bug 1987842] [NEW] wireguard: netdev file can leak private key

Launchpad Bug Tracker 1987842 at bugs.launchpad.net
Thu Sep 15 15:32:40 UTC 2022 

You have been subscribed to a public bug by Matthieu Clemenceau (mclemenceau):

When using netplan with wireguard, netplan will render the
/run/systemd/network/10-netplan-${name}.netdev file with 0644
permissions.


That file contains the wireguard private key, which, if specified literally (instead of using a file), will leak that key to all local users of the system. This may not be desirable.

For example, I have this yaml in /etc/netplan/home0.yaml:
network:
  version: 2
  tunnels:
    home0:
      mode: wireguard
      key: <base64 private key contents>
      port: 51000
      addresses: [10.10.11.2/24]
      peers:
        - keys:
            public: <base64 public key contents>
          endpoint: 10.48.132.39:51000
          allowed-ips: [10.10.11.0/24,10.10.10.0/24]
      routes:
        - to: 10.10.10.0/24
          from: 10.10.11.2
          scope: link

When that is rendered and applied with `netplan apply`, this error is logged in /var/log/syslog:
Aug 26 14:23:30 laptop-coffee-shop systemd-networkd[537]: /run/systemd/network/10-netplan-home0.netdev has 0644 mode that is too permissive, please adjust the ownership and access mode.


And indeed, that file contains the same literal private key, as expected:

# cat /run/systemd/network/10-netplan-home0.netdev
[NetDev]
Name=home0
Kind=wireguard

[WireGuard]
PrivateKey=<base64 private key contents>
ListenPort=51000

[WireGuardPeer]
PublicKey=<base64 public key contents>
AllowedIPs=10.10.11.0/24,10.10.10.0/24
Endpoint=10.48.132.39:51000

Its permissions should probably be 0640 root:systemd-networkd.

This is not an issue if the private key is specified via a file, in
which case systemd-networkd won't even issue that warning.

** Affects: netplan
     Importance: High
         Status: Triaged


** Tags: foundations-todo fr-2634
-- 
wireguard: netdev file can leak private key
https://bugs.launchpad.net/bugs/1987842
You received this bug notification because you are a member of Ubuntu Foundations Bugs, which is subscribed to the bug report.

More information about the foundations-bugs mailing list