2008-02-28 02:34:43 +01:00
|
|
|
<!doctype refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
|
|
|
|
|
|
|
|
<refentry>
|
|
|
|
<refmeta>
|
|
|
|
<refentrytitle>wpa_priv</refentrytitle>
|
|
|
|
<manvolnum>8</manvolnum>
|
|
|
|
</refmeta>
|
|
|
|
<refnamediv>
|
|
|
|
<refname>wpa_priv</refname>
|
|
|
|
|
|
|
|
<refpurpose>wpa_supplicant privilege separation helper</refpurpose>
|
|
|
|
</refnamediv>
|
|
|
|
|
|
|
|
<refsynopsisdiv>
|
|
|
|
<cmdsynopsis>
|
|
|
|
<command>wpa_priv</command>
|
|
|
|
<arg>-c <replaceable>ctrl path</replaceable></arg>
|
|
|
|
<arg>-Bdd</arg>
|
|
|
|
<arg>-P <replaceable>pid file</replaceable></arg>
|
|
|
|
<arg>driver:ifname <replaceable>[driver:ifname ...]</replaceable></arg>
|
|
|
|
</cmdsynopsis>
|
|
|
|
</refsynopsisdiv>
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
<title>Overview</title>
|
|
|
|
|
|
|
|
<para><command>wpa_priv</command> is a privilege separation helper that
|
|
|
|
minimizes the size of <command>wpa_supplicant</command> code that needs
|
|
|
|
to be run with root privileges.</para>
|
|
|
|
|
|
|
|
<para>If enabled, privileged operations are done in the wpa_priv process
|
|
|
|
while leaving rest of the code (e.g., EAP authentication and WPA
|
|
|
|
handshakes) to operate in an unprivileged process (wpa_supplicant) that
|
|
|
|
can be run as non-root user. Privilege separation restricts the effects
|
|
|
|
of potential software errors by containing the majority of the code in an
|
|
|
|
unprivileged process to avoid the possibility of a full system
|
|
|
|
compromise.</para>
|
|
|
|
|
|
|
|
<para><command>wpa_priv</command> needs to be run with network admin
|
|
|
|
privileges (usually, root user). It opens a UNIX domain socket for each
|
|
|
|
interface that is included on the command line; any other interface will
|
|
|
|
be off limits for <command>wpa_supplicant</command> in this kind of
|
|
|
|
configuration. After this, <command>wpa_supplicant</command> can be run as
|
|
|
|
a non-root user (e.g., all standard users on a laptop or as a special
|
|
|
|
non-privileged user account created just for this purpose to limit access
|
|
|
|
to user files even further).</para>
|
|
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
|
|
<title>Example configuration</title>
|
|
|
|
|
|
|
|
<para>The following steps are an example of how to configure
|
2008-02-28 02:48:23 +01:00
|
|
|
<command>wpa_priv</command> to allow users in the
|
|
|
|
<emphasis>wpapriv</emphasis> group to communicate with
|
|
|
|
<command>wpa_supplicant</command> with privilege separation:</para>
|
2008-02-28 02:34:43 +01:00
|
|
|
|
|
|
|
<para>Create user group (e.g., wpapriv) and assign users that
|
|
|
|
should be able to use wpa_supplicant into that group.</para>
|
|
|
|
|
|
|
|
<para>Create /var/run/wpa_priv directory for UNIX domain sockets and
|
|
|
|
control user access by setting it accessible only for the wpapriv
|
|
|
|
group:</para>
|
|
|
|
|
|
|
|
<blockquote><programlisting>
|
|
|
|
mkdir /var/run/wpa_priv
|
|
|
|
chown root:wpapriv /var/run/wpa_priv
|
|
|
|
chmod 0750 /var/run/wpa_priv
|
|
|
|
</programlisting></blockquote>
|
|
|
|
|
|
|
|
<para>Start <command>wpa_priv</command> as root (e.g., from system
|
|
|
|
startup scripts) with the enabled interfaces configured on the
|
|
|
|
command line:</para>
|
|
|
|
|
|
|
|
<blockquote><programlisting>
|
|
|
|
wpa_priv -B -c /var/run/wpa_priv -P /var/run/wpa_priv.pid wext:wlan0
|
|
|
|
</programlisting></blockquote>
|
|
|
|
|
|
|
|
<para>Run <command>wpa_supplicant</command> as non-root with a user
|
|
|
|
that is in the wpapriv group:</para>
|
|
|
|
|
|
|
|
<blockquote><programlisting>
|
|
|
|
wpa_supplicant -i ath0 -c wpa_supplicant.conf
|
|
|
|
</programlisting></blockquote>
|
|
|
|
|
|
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
|
|
<title>Command Arguments</title>
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
|
|
|
<term>-c ctrl path</term>
|
|
|
|
|
|
|
|
<listitem><para>Specify the path to wpa_priv control directory
|
|
|
|
(Default: /var/run/wpa_priv/).</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>-B</term>
|
|
|
|
<listitem><para>Run as a daemon in the background.</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>-P file</term>
|
|
|
|
|
|
|
|
<listitem><para>Set the location of the PID
|
|
|
|
file.</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>driver:ifname [driver:ifname ...]</term>
|
|
|
|
|
|
|
|
<listitem><para>The <driver> string dictates which of the
|
|
|
|
supported <command>wpa_supplicant</command> driver backends is to be
|
|
|
|
used. To get a list of supported driver types see wpa_supplicant help
|
|
|
|
(e.g, wpa_supplicant -h). The driver backend supported by most good
|
2008-02-28 02:48:23 +01:00
|
|
|
drivers is <emphasis>wext</emphasis>.</para>
|
2008-02-28 02:34:43 +01:00
|
|
|
|
|
|
|
<para>The <ifname> string specifies which network
|
|
|
|
interface is to be managed by <command>wpa_supplicant</command>
|
|
|
|
(e.g., wlan0 or ath0).</para>
|
|
|
|
|
|
|
|
<para><command>wpa_priv</command> does not use the network interface
|
|
|
|
before <command>wpa_supplicant</command> is started, so it is fine to
|
|
|
|
include network interfaces that are not available at the time wpa_priv
|
|
|
|
is started. wpa_priv can control multiple interfaces with one process,
|
|
|
|
but it is also possible to run multiple <command>wpa_priv</command>
|
|
|
|
processes at the same time, if desired.</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
|
|
<title>See Also</title>
|
|
|
|
<para>
|
|
|
|
<citerefentry>
|
|
|
|
<refentrytitle>wpa_supplicant</refentrytitle>
|
|
|
|
<manvolnum>8</manvolnum>
|
|
|
|
</citerefentry>
|
|
|
|
</para>
|
|
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
|
|
<title>Legal</title>
|
2018-12-02 19:56:31 +01:00
|
|
|
<para>wpa_supplicant is copyright (c) 2003-2018,
|
2008-02-28 02:34:43 +01:00
|
|
|
Jouni Malinen <email>j@w1.fi</email> and
|
|
|
|
contributors.
|
|
|
|
All Rights Reserved.</para>
|
|
|
|
|
2012-04-07 12:17:20 +02:00
|
|
|
<para>This program is licensed under the BSD license (the one with
|
|
|
|
advertisement clause removed).</para>
|
2008-02-28 02:34:43 +01:00
|
|
|
</refsect1>
|
|
|
|
</refentry>
|