tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
wpa_supplicant(8) control socket enabled by default
Moving this discussion onto tech-net.
Summary - I added a default configuration for wpa_supplicant which
enabled the control socket. With this enabled wpa_supplicant will
default the group owner to the group owner of the top level directory
where it resides which is normally wheel. To clarify this, I set the
socket group to wheel in the default config as well.
This will only affect new installations as existing setups already have
their own wpa_supplicant.conf(5) and wheel defaults to no members and
whose only purpose before now was to allow su to root.
Maya pointed out this relaxed the default privs from what we used to
ship and a conversation then ensued.
https://mail-index.netbsd.org/source-changes-d/2019/01/12/msg010932.html
mrg was the only out right dissenter of this change:
https://mail-index.netbsd.org/source-changes-d/2019/01/13/msg010941.html
Greg suggested a wpa_supplicant group:
https://mail-index.netbsd.org/source-changes-d/2019/01/13/msg010937.html
Although Robert was against this idea:
https://mail-index.netbsd.org/source-changes-d/2019/01/14/msg010943.html
Jason suggested that using ttyaction(5) could chown the the socket as a
hackish alternative.
https://mail-index.netbsd.org/source-changes-d/2019/01/14/msg010948.html
The overall feedback was generally positive, but I would like to guage a
wider audience, hence now posting this here as the original conversation
on source-changes-d has now stalled.
Here are the options as I see them:
1) Keep things as they are now
2) Change the default group
3) Turn off the socket
4) Add config option to explicity set socket mode
6) Change the socket mode to revoke group access and use ttyaction
The last option would also need to introduce a new configuration option
upstream.
Roy
Home |
Main Index |
Thread Index |
Old Index