Moving NetworkManager config files to ~

14/10/03: Added a quick/simple fix.
14/02/02: Updated "Run it after after wakeup from suspend" to make it work in Trusty Tahr.
14/01/07: Updated the "...wakeup from suspend" part.

The NetworkManager in Ubuntu stores its Wifi and VPN configuration files outside the home folder under /etc/NetworkManager (at least if you did not uncheck "Available to All Users"). Plus the passphrases within them are stored in cleartext.
That's not what you expect if you have home folder encryption turned on.

The quick and simple fix

There is a minor downside to this: If you have a multi-user system you need to set up the Wifi connection for every user individually.

  1. Open the NetworkManager in the top left:
    NetworkManager open dialog
  2. Click on Edit connections:
    NetworkManager edit connections
  3. Select the first Wifi connection of which you want to protect the password: NetworkManager edit wifi connection
  4. Select General and uncheck All users may connect to this network: NetworkManager edit wifi connection
  5. Click Save and repeat for all relevant Wifi connections.

The long and hackish fix

I leave this here since it could serve as a starting point for implementing a multi-user-friendly way of protecting Wifi passwords. I would change to following to save the NetworkManager files in a encrypted directory in which all users can read. If you like, ask in the comment section and I will elaborate a bit more.

- The following steps are meant for single user systems with enabled home folder encryption.
- A Ubuntu developer pointed out that this workaround might introduce a security whole when an attacker has access to your running system.

1. Make folder, copy/link content
2. Write a NetworkManager restart program
3. Make it autostart after login
4. Run it after after wakeup from suspend

Make folder, copy/link content

Since moving the whole NetworkManager folder does not seem to work, so we only move the relevant subfolders:
1. Make a folder for the files:
mkdir ~/.NetworkManager - Copy the configuration files folder:
sudo mv /etc/NetworkManager/system-connections ~/.NetworkManager/ - Symlink it:
sudo ln -s ~/.NetworkManager/system-connections/ /etc/NetworkManager/ - If you have noticed the VPN folder: it seemingly does not have to be moved since NetworkManager stores PPTP and OpenVPN config files in system-connections as well.

Write a NetworkManager restart program

To make NetworkManager aware that its config files are available again after the login/after wakeup, we need to restart it. Because only the superuser can restart NetworkManager we need to create a program in binary format so we can set the SUID bit. That way we can restart NetworkManager as a regular user.

  1. Now we create a C file:
    cd ~/.NetworkManager nano restartnetworkmanager.c
  2. Add the following and save:
    #include <stdlib.h> int main() { setuid(0); return system("sudo service network-manager restart"); }
  3. Compile:
    gcc restartnetworkmanager.c -o restartnetworkmanager
  4. Fix the owner, rights and add SUID bit:
    sudo chown root restartnetworkmanager sudo chmod u+s restartnetworkmanager
  5. Move it to your binaries folder:
    sudo mv restartnetworkmanager /usr/local/bin/

Make it autostart after login

  1. Add a autostart .desktop file:
    nano ~/.config/autostart/restartnetworkmanager.desktop
  2. Enter the following:
    [Desktop Entry] Type=Application Name=Restart NetworkManager Comment=See Exec=restartnetworkmanager

Run it after after wakeup from suspend

  1. Make a script:
    sudo nano /etc/pm/sleep.d/restart-wifi
  2. Enter the following:
    #!/bin/bash case "${1}" in
    resume|thaw) /usr/local/bin/restartnetworkmanager ;; esac
  3. Make it executable: sudo chmod +x /etc/pm/sleep.d/restart-wifi

Valuable ressources:
- askubuntu: Where does network-manager store WPA keys when “Available to All Users” is ticked?

The author

Written by Per

Free software enthusiast and transhumanist residing in Stuttgart, Germany.

comments powered by Disqus