MAC spoofing failure doesn't result in panic mode (module removal)
Originally created by @anonym on #8571 (Redmine)
If MAC spoofing fails, we have specified that we’re supposed to enter
into a panic mode were we do our best to prevent the device in question
to talk to the network (and hence leak the real MAC address) by removing
the module etc. However, if macchanger
returns an error we will
actually not do this. See this extract from
config/chroot_local-includes/usr/local/sbin/tails-spoof-mac
:
spoof_mac() {
local msg
if ! msg=$(macchanger -e "${1}" 2>&1); then
log "macchanger failed for NIC ${1}, returned ${?} and said: ${msg}"
exit 1
fi
}
The problem in the above is exit 1
, which prevents the panic mode code
from ever running. What was actually intended was probably return 1
,
which indeed will fix this issue. However, let’s first look at the
context in which spoof_mac()
is called:
for i in 1 2 3; do
spoof_mac "${NIC}" || :
NEW_MAC="$(get_current_mac_of_nic "${NIC}")"
if [ "${OLD_MAC}" != "${NEW_MAC}" ]; then
break
fi
done
So, we ignore any failure status returned from spoof_mac()
. We
actually probably want to immediately enter the panic mode if
macchanger
fails, for added fail-safeness.
Feature Branch: bugfix/8571-fix-mac-spoof-panic-mode
Related issues
- Related to #8685 (closed)
- Related to #9531 (closed)