Document use of Linux capabilities instead of privileged process

Linux capabilities cap_net_admin and cap_net_raw can be used to replace
need for running wpa_supplicant as a root process.

Signed-hostap: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2013-09-29 12:04:40 +03:00
parent d85bb75d47
commit 5388dc97e0

View file

@ -949,3 +949,37 @@ can be started when an interface is added (hotplug/udev/etc. scripts).
wpa_priv can control multiple interface with one process, but it is wpa_priv can control multiple interface with one process, but it is
also possible to run multiple wpa_priv processes at the same time, if also possible to run multiple wpa_priv processes at the same time, if
desired. desired.
Linux capabilities instead of privileged process
------------------------------------------------
wpa_supplicant performs operations that need special permissions, e.g.,
to control the network connection. Traditionally this has been achieved
by running wpa_supplicant as a privileged process with effective user id
0 (root). Linux capabilities can be used to provide restricted set of
capabilities to match the functions needed by wpa_supplicant. The
minimum set of capabilities needed for the operations is CAP_NET_ADMIN
and CAP_NET_RAW.
setcap(8) can be used to set file capabilities. For example:
sudo setcap cap_net_raw,cap_net_admin+ep wpa_supplicant
Please note that this would give anyone being able to run that
wpa_supplicant binary access to the additional capabilities. This can
further be limited by file owner/group and mode bits. For example:
sudo chown wpas wpa_supplicant
sudo chmod 0100 wpa_supplicant
This combination of setcap, chown, and chmod commands would allow wpas
user to execute wpa_supplicant with additional network admin/raw
capabilities.
Common way style of creating a control interface socket in
/var/run/wpa_supplicant could not be done by this user, but this
directory could be created before starting the wpa_supplicant and set to
suitable mode to allow wpa_supplicant to create sockets
there. Alternatively, other directory or abstract socket namespace could
be used for the control interface.