Commit 46dc919e authored by Thomas Haller's avatar Thomas Haller

man: clearify plain text secrets in keyfile

parent a47c48fd
......@@ -1134,10 +1134,12 @@ enable=nm-version-min:1.3,nm-version-min:1.2.6,nm-version-min:1.0.16
<filename>/etc/NetworkManager/system-connections</filename>.
</para>
<para>
The stored connection file may contain passwords and
private keys, so it will be made readable only to root,
and the plugin will ignore files that are readable or
writable by any user or group other than root.
The stored connection file may contain passwords, secrets and
private keys in plain text, so it will be made readable only to
root, and the plugin will ignore files that are readable or
writable by any user or group other than root. See "Secret flag types"
in <link linkend='nm-settings'><citerefentry><refentrytitle>nm-settings</refentrytitle><manvolnum>5</manvolnum></citerefentry></link>
for how to avoid storing passwords in plain text.
</para>
<para>
This plugin is always active, and will automatically be
......
......@@ -87,13 +87,18 @@
<refsect2 id="secrets-flags">
<title>Secret flag types:</title>
<para>
Each secret property in a setting has an associated <emphasis>flags</emphasis> property
Each password or secret property in a setting has an associated <emphasis>flags</emphasis> property
that describes how to handle that secret. The <emphasis>flags</emphasis> property is a bitfield
that contains zero or more of the following values logically OR-ed together.
</para>
<itemizedlist>
<listitem>
<para>0x0 (none) - the system is responsible for providing and storing this secret.</para>
<para>0x0 (none) - the system is responsible for providing and storing this secret. This
may be required so that secrets are already available before the user logs in.
It also commonly means that the secret will be stored in plain text on disk, accessible
to root only. For example via the keyfile settings plugin as described in the "PLUGINS" section
in <link linkend='NetworkManager.conf'><citerefentry><refentrytitle>NetworkManager.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry></link>.
</para>
</listitem>
<listitem>
<para>0x1 (agent-owned) - a user-session secret agent is responsible for providing and storing
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment