aboutsummaryrefslogtreecommitdiffstats
path: root/wpa_supplicant/README
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2013-09-29 09:04:40 (GMT)
committerJouni Malinen <j@w1.fi>2013-09-29 09:04:40 (GMT)
commit5388dc97e0a71e60d971880f5cf87ba3a5dd0800 (patch)
tree91c51cd0835904b1f18703253ae7fcf948930a35 /wpa_supplicant/README
parentd85bb75d475736c3345728be516241fb7b627f33 (diff)
downloadhostap-5388dc97e0a71e60d971880f5cf87ba3a5dd0800.zip
hostap-5388dc97e0a71e60d971880f5cf87ba3a5dd0800.tar.gz
hostap-5388dc97e0a71e60d971880f5cf87ba3a5dd0800.tar.bz2
Document use of Linux capabilities instead of privileged process
Linux capabilities cap_net_admin and cap_net_raw can be used to replace need for running wpa_supplicant as a root process. Signed-hostap: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'wpa_supplicant/README')
-rw-r--r--wpa_supplicant/README34
1 files changed, 34 insertions, 0 deletions
diff --git a/wpa_supplicant/README b/wpa_supplicant/README
index 78df89e..8e9cc45 100644
--- a/wpa_supplicant/README
+++ b/wpa_supplicant/README
@@ -949,3 +949,37 @@ can be started when an interface is added (hotplug/udev/etc. scripts).
wpa_priv can control multiple interface with one process, but it is
also possible to run multiple wpa_priv processes at the same time, if
desired.
+
+
+Linux capabilities instead of privileged process
+------------------------------------------------
+
+wpa_supplicant performs operations that need special permissions, e.g.,
+to control the network connection. Traditionally this has been achieved
+by running wpa_supplicant as a privileged process with effective user id
+0 (root). Linux capabilities can be used to provide restricted set of
+capabilities to match the functions needed by wpa_supplicant. The
+minimum set of capabilities needed for the operations is CAP_NET_ADMIN
+and CAP_NET_RAW.
+
+setcap(8) can be used to set file capabilities. For example:
+
+sudo setcap cap_net_raw,cap_net_admin+ep wpa_supplicant
+
+Please note that this would give anyone being able to run that
+wpa_supplicant binary access to the additional capabilities. This can
+further be limited by file owner/group and mode bits. For example:
+
+sudo chown wpas wpa_supplicant
+sudo chmod 0100 wpa_supplicant
+
+This combination of setcap, chown, and chmod commands would allow wpas
+user to execute wpa_supplicant with additional network admin/raw
+capabilities.
+
+Common way style of creating a control interface socket in
+/var/run/wpa_supplicant could not be done by this user, but this
+directory could be created before starting the wpa_supplicant and set to
+suitable mode to allow wpa_supplicant to create sockets
+there. Alternatively, other directory or abstract socket namespace could
+be used for the control interface.