tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

wpa_supplicant(8) control socket enabled by default



Moving this discussion onto tech-net.

Summary - I added a default configuration for wpa_supplicant which enabled the control socket. With this enabled wpa_supplicant will default the group owner to the group owner of the top level directory where it resides which is normally wheel. To clarify this, I set the socket group to wheel in the default config as well.

This will only affect new installations as existing setups already have their own wpa_supplicant.conf(5) and wheel defaults to no members and whose only purpose before now was to allow su to root.

Maya pointed out this relaxed the default privs from what we used to ship and a conversation then ensued.
https://mail-index.netbsd.org/source-changes-d/2019/01/12/msg010932.html

mrg was the only out right dissenter of this change:
https://mail-index.netbsd.org/source-changes-d/2019/01/13/msg010941.html

Greg suggested a wpa_supplicant group:
https://mail-index.netbsd.org/source-changes-d/2019/01/13/msg010937.html

Although Robert was against this idea:
https://mail-index.netbsd.org/source-changes-d/2019/01/14/msg010943.html

Jason suggested that using ttyaction(5) could chown the the socket as a hackish alternative.
https://mail-index.netbsd.org/source-changes-d/2019/01/14/msg010948.html

The overall feedback was generally positive, but I would like to guage a wider audience, hence now posting this here as the original conversation on source-changes-d has now stalled.

Here are the options as I see them:
1) Keep things as they are now
2) Change the default group
3) Turn off the socket
4) Add config option to explicity set socket mode
6) Change the socket mode to revoke group access and use ttyaction

The last option would also need to introduce a new configuration option upstream.

Roy


Home | Main Index | Thread Index | Old Index