man: clearify plain text secrets in keyfile

2024-07-21 18:24:49 +00:00 · 2017-09-28 17:29:45 +02:00 · 2017-09-28 17:29:45 +02:00 · 46dc919e68
parent a47c48fd84
commit 46dc919e68
2 changed files with 13 additions and 6 deletions
--- a/man/NetworkManager.conf.xml
+++ b/man/NetworkManager.conf.xml
@ -1134,10 +1134,12 @@ enable=nm-version-min:1.3,nm-version-min:1.2.6,nm-version-min:1.0.16
            <filename>/etc/NetworkManager/system-connections</filename>.
          </para>
          <para>
-            The stored connection file may contain passwords and
-            private keys, so it will be made readable only to root,
-            and the plugin will ignore files that are readable or
-            writable by any user or group other than root.
+            The stored connection file may contain passwords, secrets and
+            private keys in plain text, so it will be made readable only to
+            root, and the plugin will ignore files that are readable or
+            writable by any user or group other than root. See "Secret flag types"
+            in <link linkend='nm-settings'><citerefentry><refentrytitle>nm-settings</refentrytitle><manvolnum>5</manvolnum></citerefentry></link>
+            for how to avoid storing passwords in plain text.
          </para>
          <para>
            This plugin is always active, and will automatically be
--- a/man/nm-settings.xsl
+++ b/man/nm-settings.xsl
@ -87,13 +87,18 @@
        <refsect2 id="secrets-flags">
          <title>Secret flag types:</title>
          <para>
-            Each secret property in a setting has an associated <emphasis>flags</emphasis> property
+            Each password or secret property in a setting has an associated <emphasis>flags</emphasis> property
            that describes how to handle that secret. The <emphasis>flags</emphasis> property is a bitfield
            that contains zero or more of the following values logically OR-ed together.
          </para>
          <itemizedlist>
            <listitem>
-              <para>0x0 (none) - the system is responsible for providing and storing this secret.</para>
+              <para>0x0 (none) - the system is responsible for providing and storing this secret. This
+              may be required so that secrets are already available before the user logs in.
+              It also commonly means that the secret will be stored in plain text on disk, accessible
+              to root only. For example via the keyfile settings plugin as described in the "PLUGINS" section
+              in <link linkend='NetworkManager.conf'><citerefentry><refentrytitle>NetworkManager.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry></link>.
+              </para>
            </listitem>
            <listitem>
              <para>0x1 (agent-owned) - a user-session secret agent is responsible for providing and storing