Re: wpa_supplicant(8) control socket enabled by default

To: Roy Marples <roy%marples.name@localhost>, maya%netbsd.org@localhost, David Holland <dholland-sourcechanges%netbsd.org@localhost>
Subject: Re: wpa_supplicant(8) control socket enabled by default
From: John Nemeth <jnemeth%cue.bc.ca@localhost>
Date: Tue, 5 Feb 2019 21:37:33 -0800

On Feb 4,  3:28pm, Roy Marples wrote:
}
} Moving this discussion onto tech-net.
} 
} Summary - I added a default configuration for wpa_supplicant which 
} enabled the control socket. With this enabled wpa_supplicant will 
} default the group owner to the group owner of the top level directory 
} where it resides which is normally wheel. To clarify this, I set the 
} socket group to wheel in the default config as well.
} 
} This will only affect new installations as existing setups already have 
} their own wpa_supplicant.conf(5) and wheel defaults to no members and 
} whose only purpose before now was to allow su to root.
} 
} Maya pointed out this relaxed the default privs from what we used to 
} ship and a conversation then ensued.
} https://mail-index.netbsd.org/source-changes-d/2019/01/12/msg010932.html
} 
} mrg was the only out right dissenter of this change:
} https://mail-index.netbsd.org/source-changes-d/2019/01/13/msg010941.html
} 
} Greg suggested a wpa_supplicant group:
} https://mail-index.netbsd.org/source-changes-d/2019/01/13/msg010937.html
} 
} Although Robert was against this idea:
} https://mail-index.netbsd.org/source-changes-d/2019/01/14/msg010943.html
} 
} Jason suggested that using ttyaction(5) could chown the the socket as a 
} hackish alternative.
} https://mail-index.netbsd.org/source-changes-d/2019/01/14/msg010948.html
} 
} The overall feedback was generally positive, but I would like to guage a 
} wider audience, hence now posting this here as the original conversation 
} on source-changes-d has now stalled.
} 
} Here are the options as I see them:
} 1) Keep things as they are now
} 2) Change the default group
} 3) Turn off the socket
} 4) Add config option to explicity set socket mode
} 6) Change the socket mode to revoke group access and use ttyaction
} 
} The last option would also need to introduce a new configuration option 
} upstream.

     I'm not overly fussy with which way it goes.  However, I am
against the idea of using ttyaction as networking configuration
has very little to do with who's logged in.

}-- End of excerpt from Roy Marples

References:
- wpa_supplicant(8) control socket enabled by default
  - From: Roy Marples

Prev by Date: Re: Removal of IFF_NOTRAILERS
Next by Date: Re: Removal of IFF_NOTRAILERS
Previous by Thread: Re: wpa_supplicant(8) control socket enabled by default
Indexes:

Home | Main Index | Thread Index | Old Index