Re: wpa_supplicant(8) control socket enabled by default

To: Roy Marples <roy%marples.name@localhost>
Subject: Re: wpa_supplicant(8) control socket enabled by default
From: David Brownlee <abs%absd.org@localhost>
Date: Mon, 4 Feb 2019 18:13:43 +0000

 On Mon, 4 Feb 2019 at 15:28, Roy Marples <roy%marples.name@localhost> wrote:
>
> Moving this discussion onto tech-net.
>
> Summary - I added a default configuration for wpa_supplicant which
> enabled the control socket. With this enabled wpa_supplicant will
> default the group owner to the group owner of the top level directory
> where it resides which is normally wheel. To clarify this, I set the
> socket group to wheel in the default config as well.
>
> This will only affect new installations as existing setups already have
> their own wpa_supplicant.conf(5) and wheel defaults to no members and
> whose only purpose before now was to allow su to root.
>
> Maya pointed out this relaxed the default privs from what we used to
> ship and a conversation then ensued.
> https://mail-index.netbsd.org/source-changes-d/2019/01/12/msg010932.html
>
> mrg was the only out right dissenter of this change:
> https://mail-index.netbsd.org/source-changes-d/2019/01/13/msg010941.html
>
> Greg suggested a wpa_supplicant group:
> https://mail-index.netbsd.org/source-changes-d/2019/01/13/msg010937.html
>
> Although Robert was against this idea:
> https://mail-index.netbsd.org/source-changes-d/2019/01/14/msg010943.html
>
> Jason suggested that using ttyaction(5) could chown the the socket as a
> hackish alternative.
> https://mail-index.netbsd.org/source-changes-d/2019/01/14/msg010948.html
>
> The overall feedback was generally positive, but I would like to guage a
> wider audience, hence now posting this here as the original conversation
> on source-changes-d has now stalled.
>
> Here are the options as I see them:
> 1) Keep things as they are now
> 2) Change the default group
> 3) Turn off the socket
> 4) Add config option to explicity set socket mode
> 6) Change the socket mode to revoke group access and use ttyaction
>
> The last option would also need to introduce a new configuration option
> upstream.

Keeping in mind that this is to decide the default behaviour for *if*
a user elects to enable wpa_supplicant.

- I think picking wheel as the default group makes sense
- It "just" needs to be documented - in the man page?
- If we add an option to enable wpa_supplicant in sysinst it should
also inform the user of this in the UI

Good change :)

David

Follow-Ups:
- re: wpa_supplicant(8) control socket enabled by default
  - From: matthew green

References:
- wpa_supplicant(8) control socket enabled by default
  - From: Roy Marples

Prev by Date: Re: wpa_supplicant(8) control socket enabled by default
Next by Date: re: wpa_supplicant(8) control socket enabled by default
Previous by Thread: Re: wpa_supplicant(8) control socket enabled by default
Next by Thread: re: wpa_supplicant(8) control socket enabled by default
Indexes:

Home | Main Index | Thread Index | Old Index