1 <!doctype refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN"> 2 3 <refentry> 4 <refentryinfo> 5 <date>07 August 2019</date> 6 </refentryinfo> 7 8 <refmeta> 9 <refentrytitle>wpa_priv</refentrytitle> 10 <manvolnum>8</manvolnum> 11 </refmeta> 12 <refnamediv> 13 <refname>wpa_priv</refname> 14 15 <refpurpose>wpa_supplicant privilege separation helper</refpurpose> 16 </refnamediv> 17 18 <refsynopsisdiv> 19 <cmdsynopsis> 20 <command>wpa_priv</command> 21 <arg>-c <replaceable>ctrl path</replaceable></arg> 22 <arg>-Bdd</arg> 23 <arg>-P <replaceable>pid file</replaceable></arg> 24 <arg>driver:ifname <replaceable>[driver:ifname ...]</replaceable></arg> 25 </cmdsynopsis> 26 </refsynopsisdiv> 27 28 <refsect1> 29 <title>Overview</title> 30 31 <para><command>wpa_priv</command> is a privilege separation helper that 32 minimizes the size of <command>wpa_supplicant</command> code that needs 33 to be run with root privileges.</para> 34 35 <para>If enabled, privileged operations are done in the wpa_priv process 36 while leaving rest of the code (e.g., EAP authentication and WPA 37 handshakes) to operate in an unprivileged process (wpa_supplicant) that 38 can be run as non-root user. Privilege separation restricts the effects 39 of potential software errors by containing the majority of the code in an 40 unprivileged process to avoid the possibility of a full system 41 compromise.</para> 42 43 <para><command>wpa_priv</command> needs to be run with network admin 44 privileges (usually, root user). It opens a UNIX domain socket for each 45 interface that is included on the command line; any other interface will 46 be off limits for <command>wpa_supplicant</command> in this kind of 47 configuration. After this, <command>wpa_supplicant</command> can be run as 48 a non-root user (e.g., all standard users on a laptop or as a special 49 non-privileged user account created just for this purpose to limit access 50 to user files even further).</para> 51 </refsect1> 52 <refsect1> 53 <title>Example configuration</title> 54 55 <para>The following steps are an example of how to configure 56 <command>wpa_priv</command> to allow users in the 57 <emphasis>wpapriv</emphasis> group to communicate with 58 <command>wpa_supplicant</command> with privilege separation:</para> 59 60 <para>Create user group (e.g., wpapriv) and assign users that 61 should be able to use wpa_supplicant into that group.</para> 62 63 <para>Create /var/run/wpa_priv directory for UNIX domain sockets and 64 control user access by setting it accessible only for the wpapriv 65 group:</para> 66 67 <blockquote><programlisting> 68 mkdir /var/run/wpa_priv 69 chown root:wpapriv /var/run/wpa_priv 70 chmod 0750 /var/run/wpa_priv 71 </programlisting></blockquote> 72 73 <para>Start <command>wpa_priv</command> as root (e.g., from system 74 startup scripts) with the enabled interfaces configured on the 75 command line:</para> 76 77 <blockquote><programlisting> 78 wpa_priv -B -c /var/run/wpa_priv -P /var/run/wpa_priv.pid wext:wlan0 79 </programlisting></blockquote> 80 81 <para>Run <command>wpa_supplicant</command> as non-root with a user 82 that is in the wpapriv group:</para> 83 84 <blockquote><programlisting> 85 wpa_supplicant -i ath0 -c wpa_supplicant.conf 86 </programlisting></blockquote> 87 88 </refsect1> 89 <refsect1> 90 <title>Command Arguments</title> 91 <variablelist> 92 <varlistentry> 93 <term>-c ctrl path</term> 94 95 <listitem><para>Specify the path to wpa_priv control directory 96 (Default: /var/run/wpa_priv/).</para></listitem> 97 </varlistentry> 98 99 <varlistentry> 100 <term>-B</term> 101 <listitem><para>Run as a daemon in the background.</para></listitem> 102 </varlistentry> 103 104 <varlistentry> 105 <term>-P file</term> 106 107 <listitem><para>Set the location of the PID 108 file.</para></listitem> 109 </varlistentry> 110 111 <varlistentry> 112 <term>driver:ifname [driver:ifname ...]</term> 113 114 <listitem><para>The <driver> string dictates which of the 115 supported <command>wpa_supplicant</command> driver backends is to be 116 used. To get a list of supported driver types see wpa_supplicant help 117 (e.g, wpa_supplicant -h). The driver backend supported by most good 118 drivers is <emphasis>wext</emphasis>.</para> 119 120 <para>The <ifname> string specifies which network 121 interface is to be managed by <command>wpa_supplicant</command> 122 (e.g., wlan0 or ath0).</para> 123 124 <para><command>wpa_priv</command> does not use the network interface 125 before <command>wpa_supplicant</command> is started, so it is fine to 126 include network interfaces that are not available at the time wpa_priv 127 is started. wpa_priv can control multiple interfaces with one process, 128 but it is also possible to run multiple <command>wpa_priv</command> 129 processes at the same time, if desired.</para></listitem> 130 </varlistentry> 131 </variablelist> 132 </refsect1> 133 <refsect1> 134 <title>See Also</title> 135 <para> 136 <citerefentry> 137 <refentrytitle>wpa_supplicant</refentrytitle> 138 <manvolnum>8</manvolnum> 139 </citerefentry> 140 </para> 141 </refsect1> 142 <refsect1> 143 <title>Legal</title> 144 <para>wpa_supplicant is copyright (c) 2003-2022, 145 Jouni Malinen <email>j (a] w1.fi</email> and 146 contributors. 147 All Rights Reserved.</para> 148 149 <para>This program is licensed under the BSD license (the one with 150 advertisement clause removed).</para> 151 </refsect1> 152 </refentry> 153
Indexes created Sun May 03 00:22:47 UTC 2026