1c1d255d3SCy Schubert<!doctype refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN"> 2c1d255d3SCy Schubert 3c1d255d3SCy Schubert<refentry> 4c1d255d3SCy Schubert <refentryinfo> 5c1d255d3SCy Schubert <date>07 August 2019</date> 6c1d255d3SCy Schubert </refentryinfo> 7c1d255d3SCy Schubert 8c1d255d3SCy Schubert <refmeta> 9c1d255d3SCy Schubert <refentrytitle>wpa_priv</refentrytitle> 10c1d255d3SCy Schubert <manvolnum>8</manvolnum> 11c1d255d3SCy Schubert </refmeta> 12c1d255d3SCy Schubert <refnamediv> 13c1d255d3SCy Schubert <refname>wpa_priv</refname> 14c1d255d3SCy Schubert 15c1d255d3SCy Schubert <refpurpose>wpa_supplicant privilege separation helper</refpurpose> 16c1d255d3SCy Schubert </refnamediv> 17c1d255d3SCy Schubert 18c1d255d3SCy Schubert <refsynopsisdiv> 19c1d255d3SCy Schubert <cmdsynopsis> 20c1d255d3SCy Schubert <command>wpa_priv</command> 21c1d255d3SCy Schubert <arg>-c <replaceable>ctrl path</replaceable></arg> 22c1d255d3SCy Schubert <arg>-Bdd</arg> 23c1d255d3SCy Schubert <arg>-P <replaceable>pid file</replaceable></arg> 24c1d255d3SCy Schubert <arg>driver:ifname <replaceable>[driver:ifname ...]</replaceable></arg> 25c1d255d3SCy Schubert </cmdsynopsis> 26c1d255d3SCy Schubert </refsynopsisdiv> 27c1d255d3SCy Schubert 28c1d255d3SCy Schubert <refsect1> 29c1d255d3SCy Schubert <title>Overview</title> 30c1d255d3SCy Schubert 31c1d255d3SCy Schubert <para><command>wpa_priv</command> is a privilege separation helper that 32c1d255d3SCy Schubert minimizes the size of <command>wpa_supplicant</command> code that needs 33c1d255d3SCy Schubert to be run with root privileges.</para> 34c1d255d3SCy Schubert 35c1d255d3SCy Schubert <para>If enabled, privileged operations are done in the wpa_priv process 36c1d255d3SCy Schubert while leaving rest of the code (e.g., EAP authentication and WPA 37c1d255d3SCy Schubert handshakes) to operate in an unprivileged process (wpa_supplicant) that 38c1d255d3SCy Schubert can be run as non-root user. Privilege separation restricts the effects 39c1d255d3SCy Schubert of potential software errors by containing the majority of the code in an 40c1d255d3SCy Schubert unprivileged process to avoid the possibility of a full system 41c1d255d3SCy Schubert compromise.</para> 42c1d255d3SCy Schubert 43c1d255d3SCy Schubert <para><command>wpa_priv</command> needs to be run with network admin 44c1d255d3SCy Schubert privileges (usually, root user). It opens a UNIX domain socket for each 45c1d255d3SCy Schubert interface that is included on the command line; any other interface will 46c1d255d3SCy Schubert be off limits for <command>wpa_supplicant</command> in this kind of 47c1d255d3SCy Schubert configuration. After this, <command>wpa_supplicant</command> can be run as 48c1d255d3SCy Schubert a non-root user (e.g., all standard users on a laptop or as a special 49c1d255d3SCy Schubert non-privileged user account created just for this purpose to limit access 50c1d255d3SCy Schubert to user files even further).</para> 51c1d255d3SCy Schubert </refsect1> 52c1d255d3SCy Schubert <refsect1> 53c1d255d3SCy Schubert <title>Example configuration</title> 54c1d255d3SCy Schubert 55c1d255d3SCy Schubert <para>The following steps are an example of how to configure 56c1d255d3SCy Schubert <command>wpa_priv</command> to allow users in the 57c1d255d3SCy Schubert <emphasis>wpapriv</emphasis> group to communicate with 58c1d255d3SCy Schubert <command>wpa_supplicant</command> with privilege separation:</para> 59c1d255d3SCy Schubert 60c1d255d3SCy Schubert <para>Create user group (e.g., wpapriv) and assign users that 61c1d255d3SCy Schubert should be able to use wpa_supplicant into that group.</para> 62c1d255d3SCy Schubert 63c1d255d3SCy Schubert <para>Create /var/run/wpa_priv directory for UNIX domain sockets and 64c1d255d3SCy Schubert control user access by setting it accessible only for the wpapriv 65c1d255d3SCy Schubert group:</para> 66c1d255d3SCy Schubert 67c1d255d3SCy Schubert<blockquote><programlisting> 68c1d255d3SCy Schubertmkdir /var/run/wpa_priv 69c1d255d3SCy Schubertchown root:wpapriv /var/run/wpa_priv 70c1d255d3SCy Schubertchmod 0750 /var/run/wpa_priv 71c1d255d3SCy Schubert</programlisting></blockquote> 72c1d255d3SCy Schubert 73c1d255d3SCy Schubert <para>Start <command>wpa_priv</command> as root (e.g., from system 74c1d255d3SCy Schubert startup scripts) with the enabled interfaces configured on the 75c1d255d3SCy Schubert command line:</para> 76c1d255d3SCy Schubert 77c1d255d3SCy Schubert<blockquote><programlisting> 78c1d255d3SCy Schubertwpa_priv -B -c /var/run/wpa_priv -P /var/run/wpa_priv.pid wext:wlan0 79c1d255d3SCy Schubert</programlisting></blockquote> 80c1d255d3SCy Schubert 81c1d255d3SCy Schubert <para>Run <command>wpa_supplicant</command> as non-root with a user 82c1d255d3SCy Schubert that is in the wpapriv group:</para> 83c1d255d3SCy Schubert 84c1d255d3SCy Schubert<blockquote><programlisting> 85c1d255d3SCy Schubertwpa_supplicant -i ath0 -c wpa_supplicant.conf 86c1d255d3SCy Schubert</programlisting></blockquote> 87c1d255d3SCy Schubert 88c1d255d3SCy Schubert </refsect1> 89c1d255d3SCy Schubert <refsect1> 90c1d255d3SCy Schubert <title>Command Arguments</title> 91c1d255d3SCy Schubert <variablelist> 92c1d255d3SCy Schubert <varlistentry> 93c1d255d3SCy Schubert <term>-c ctrl path</term> 94c1d255d3SCy Schubert 95c1d255d3SCy Schubert <listitem><para>Specify the path to wpa_priv control directory 96c1d255d3SCy Schubert (Default: /var/run/wpa_priv/).</para></listitem> 97c1d255d3SCy Schubert </varlistentry> 98c1d255d3SCy Schubert 99c1d255d3SCy Schubert <varlistentry> 100c1d255d3SCy Schubert <term>-B</term> 101c1d255d3SCy Schubert <listitem><para>Run as a daemon in the background.</para></listitem> 102c1d255d3SCy Schubert </varlistentry> 103c1d255d3SCy Schubert 104c1d255d3SCy Schubert <varlistentry> 105c1d255d3SCy Schubert <term>-P file</term> 106c1d255d3SCy Schubert 107c1d255d3SCy Schubert <listitem><para>Set the location of the PID 108c1d255d3SCy Schubert file.</para></listitem> 109c1d255d3SCy Schubert </varlistentry> 110c1d255d3SCy Schubert 111c1d255d3SCy Schubert <varlistentry> 112c1d255d3SCy Schubert <term>driver:ifname [driver:ifname ...]</term> 113c1d255d3SCy Schubert 114c1d255d3SCy Schubert <listitem><para>The <driver> string dictates which of the 115c1d255d3SCy Schubert supported <command>wpa_supplicant</command> driver backends is to be 116c1d255d3SCy Schubert used. To get a list of supported driver types see wpa_supplicant help 117c1d255d3SCy Schubert (e.g, wpa_supplicant -h). The driver backend supported by most good 118c1d255d3SCy Schubert drivers is <emphasis>wext</emphasis>.</para> 119c1d255d3SCy Schubert 120c1d255d3SCy Schubert <para>The <ifname> string specifies which network 121c1d255d3SCy Schubert interface is to be managed by <command>wpa_supplicant</command> 122c1d255d3SCy Schubert (e.g., wlan0 or ath0).</para> 123c1d255d3SCy Schubert 124c1d255d3SCy Schubert <para><command>wpa_priv</command> does not use the network interface 125c1d255d3SCy Schubert before <command>wpa_supplicant</command> is started, so it is fine to 126c1d255d3SCy Schubert include network interfaces that are not available at the time wpa_priv 127c1d255d3SCy Schubert is started. wpa_priv can control multiple interfaces with one process, 128c1d255d3SCy Schubert but it is also possible to run multiple <command>wpa_priv</command> 129c1d255d3SCy Schubert processes at the same time, if desired.</para></listitem> 130c1d255d3SCy Schubert </varlistentry> 131c1d255d3SCy Schubert </variablelist> 132c1d255d3SCy Schubert </refsect1> 133c1d255d3SCy Schubert <refsect1> 134c1d255d3SCy Schubert <title>See Also</title> 135c1d255d3SCy Schubert <para> 136c1d255d3SCy Schubert <citerefentry> 137c1d255d3SCy Schubert <refentrytitle>wpa_supplicant</refentrytitle> 138c1d255d3SCy Schubert <manvolnum>8</manvolnum> 139c1d255d3SCy Schubert </citerefentry> 140c1d255d3SCy Schubert </para> 141c1d255d3SCy Schubert </refsect1> 142c1d255d3SCy Schubert <refsect1> 143c1d255d3SCy Schubert <title>Legal</title> 144*ec080394SCy Schubert <para>wpa_supplicant is copyright (c) 2003-2022, 145c1d255d3SCy Schubert Jouni Malinen <email>j@w1.fi</email> and 146c1d255d3SCy Schubert contributors. 147c1d255d3SCy Schubert All Rights Reserved.</para> 148c1d255d3SCy Schubert 149c1d255d3SCy Schubert <para>This program is licensed under the BSD license (the one with 150c1d255d3SCy Schubert advertisement clause removed).</para> 151c1d255d3SCy Schubert </refsect1> 152c1d255d3SCy Schubert</refentry> 153