{"id":3259,"date":"2022-12-20T17:02:10","date_gmt":"2022-12-20T20:02:10","guid":{"rendered":"http:\/\/lode.uno\/linux-man\/index.php\/2022\/12\/20\/wpa_priv-man8\/"},"modified":"2022-12-20T17:02:10","modified_gmt":"2022-12-20T20:02:10","slug":"wpa_priv-man8","status":"publish","type":"post","link":"https:\/\/lode.uno\/linux-man\/2022\/12\/20\/wpa_priv-man8\/","title":{"rendered":"WPA_PRIV (man8)"},"content":{"rendered":"

WPA_PRIV<\/h1>\n

NAME<\/a>
SYNOPSIS<\/a>
OVERVIEW<\/a>
EXAMPLE CONFIGURATION<\/a>
COMMAND ARGUMENTS<\/a>
SEE ALSO<\/a>
LEGAL<\/a> <\/p>\n

\n

NAME <\/a> <\/h2>\n

wpa_priv \u2212 wpa_supplicant privilege separation helper<\/p>\n

SYNOPSIS <\/a> <\/h2>\n

wpa_priv<\/b> [ -c<\/b> ctrl path<\/i> ] [ -Bdd<\/b> ] [ -P<\/b> pid file<\/i> ] [ driver:ifname<\/b> [driver:ifname …]<\/i> ]<\/p>\n

OVERVIEW <\/a> <\/h2>\n

wpa_priv<\/b> is a privilege separation helper that minimizes the size of wpa_supplicant<\/b> code that needs to be run with root privileges.<\/p>\n

If enabled, privileged operations are done in the wpa_priv process while leaving rest of the code (e.g., EAP authentication and WPA handshakes) to operate in an unprivileged process (wpa_supplicant) that can be run as non-root user. Privilege separation restricts the effects of potential software errors by containing the majority of the code in an unprivileged process to avoid the possibility of a full system compromise.<\/p>\n

wpa_priv<\/b> needs to be run with network admin privileges (usually, root user). It opens a UNIX domain socket for each interface that is included on the command line; any other interface will be off limits for wpa_supplicant<\/b> in this kind of configuration. After this, wpa_supplicant<\/b> can be run as a non-root user (e.g., all standard users on a laptop or as a special non-privileged user account created just for this purpose to limit access to user files even further).<\/p>\n

EXAMPLE CONFIGURATION <\/a> <\/h2>\n

The following steps are an example of how to configure wpa_priv<\/b> to allow users in the wpapriv<\/b> group to communicate with wpa_supplicant<\/b> with privilege separation:<\/p>\n

Create user group (e.g., wpapriv) and assign users that should be able to use wpa_supplicant into that group.<\/p>\n

Create \/var\/run\/wpa_priv directory for UNIX domain sockets and control user access by setting it accessible only for the wpapriv group:<\/p>\n

mkdir \/var\/run\/wpa_priv
chown root:wpapriv \/var\/run\/wpa_priv
chmod 0750 \/var\/run\/wpa_priv<\/p>\n

Start wpa_priv<\/b> as root (e.g., from system startup scripts) with the enabled interfaces configured on the command line:<\/p>\n

wpa_priv -B -c \/var\/run\/wpa_priv -P \/var\/run\/wpa_priv.pid wext:wlan0<\/p>\n

Run wpa_supplicant<\/b> as non-root with a user that is in the wpapriv group:<\/p>\n

wpa_supplicant -i ath0 -c wpa_supplicant.conf<\/p>\n

COMMAND ARGUMENTS <\/a> <\/h2>\n

-c ctrl path<\/b><\/p>\n

Specify the path to wpa_priv control directory (Default: \/var\/run\/wpa_priv\/).<\/p>\n\n\n
<\/td>\n\n

-B<\/b><\/p>\n<\/td>\n

<\/td>\n\n

Run as a daemon in the background.<\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

-P file<\/b><\/p>\n

Set the location of the PID file.<\/p>\n

driver:ifname [driver:ifname …]<\/b><\/p>\n

The string dictates which of the supported wpa_supplicant<\/b> driver backends is to be used. To get a list of supported driver types see wpa_supplicant help (e.g, wpa_supplicant -h). The driver backend supported by most good drivers is wext<\/b>.<\/p>\n

The string specifies which network interface is to be managed by wpa_supplicant<\/b> (e.g., wlan0 or ath0).<\/p>\n

wpa_priv<\/b> does not use the network interface before wpa_supplicant<\/b> is started, so it is fine to include network interfaces that are not available at the time wpa_priv is started. wpa_priv can control multiple interfaces with one process, but it is also possible to run multiple wpa_priv<\/b> processes at the same time, if desired.<\/p>\n

SEE ALSO <\/a> <\/h2>\n

wpa_supplicant<\/b>(8)<\/p>\n

LEGAL <\/a> <\/h2>\n

wpa_supplicant is copyright (c) 2003-2019, Jouni Malinen and contributors. All Rights Reserved.<\/p>\n

This program is licensed under the BSD license (the one with advertisement clause removed).<\/p>\n

\n","protected":false},"excerpt":{"rendered":"

wpa_priv \u2212 wpa_supplicant privilege separation helper <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[5,52,4,393],"class_list":["post-3259","post","type-post","status-publish","format-standard","hentry","category-8-administracion-del-sistema","tag-5","tag-administracion","tag-man8","tag-wpa_priv"],"gutentor_comment":0,"_links":{"self":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/3259","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/comments?post=3259"}],"version-history":[{"count":0,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/3259\/revisions"}],"wp:attachment":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/media?parent=3259"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/categories?post=3259"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/tags?post=3259"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}