1 1.1 christos <!doctype refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN"> 2 1.1 christos 3 1.1 christos <refentry> 4 1.1.1.8 christos <refentryinfo> 5 1.1.1.8 christos <date>07 August 2019</date> 6 1.1.1.8 christos </refentryinfo> 7 1.1.1.8 christos 8 1.1 christos <refmeta> 9 1.1 christos <refentrytitle>wpa_priv</refentrytitle> 10 1.1 christos <manvolnum>8</manvolnum> 11 1.1 christos </refmeta> 12 1.1 christos <refnamediv> 13 1.1 christos <refname>wpa_priv</refname> 14 1.1 christos 15 1.1 christos <refpurpose>wpa_supplicant privilege separation helper</refpurpose> 16 1.1 christos </refnamediv> 17 1.1 christos 18 1.1 christos <refsynopsisdiv> 19 1.1 christos <cmdsynopsis> 20 1.1 christos <command>wpa_priv</command> 21 1.1 christos <arg>-c <replaceable>ctrl path</replaceable></arg> 22 1.1 christos <arg>-Bdd</arg> 23 1.1 christos <arg>-P <replaceable>pid file</replaceable></arg> 24 1.1 christos <arg>driver:ifname <replaceable>[driver:ifname ...]</replaceable></arg> 25 1.1 christos </cmdsynopsis> 26 1.1 christos </refsynopsisdiv> 27 1.1 christos 28 1.1 christos <refsect1> 29 1.1 christos <title>Overview</title> 30 1.1 christos 31 1.1 christos <para><command>wpa_priv</command> is a privilege separation helper that 32 1.1 christos minimizes the size of <command>wpa_supplicant</command> code that needs 33 1.1 christos to be run with root privileges.</para> 34 1.1 christos 35 1.1 christos <para>If enabled, privileged operations are done in the wpa_priv process 36 1.1 christos while leaving rest of the code (e.g., EAP authentication and WPA 37 1.1 christos handshakes) to operate in an unprivileged process (wpa_supplicant) that 38 1.1 christos can be run as non-root user. Privilege separation restricts the effects 39 1.1 christos of potential software errors by containing the majority of the code in an 40 1.1 christos unprivileged process to avoid the possibility of a full system 41 1.1 christos compromise.</para> 42 1.1 christos 43 1.1 christos <para><command>wpa_priv</command> needs to be run with network admin 44 1.1 christos privileges (usually, root user). It opens a UNIX domain socket for each 45 1.1 christos interface that is included on the command line; any other interface will 46 1.1 christos be off limits for <command>wpa_supplicant</command> in this kind of 47 1.1 christos configuration. After this, <command>wpa_supplicant</command> can be run as 48 1.1 christos a non-root user (e.g., all standard users on a laptop or as a special 49 1.1 christos non-privileged user account created just for this purpose to limit access 50 1.1 christos to user files even further).</para> 51 1.1 christos </refsect1> 52 1.1 christos <refsect1> 53 1.1 christos <title>Example configuration</title> 54 1.1 christos 55 1.1 christos <para>The following steps are an example of how to configure 56 1.1 christos <command>wpa_priv</command> to allow users in the 57 1.1 christos <emphasis>wpapriv</emphasis> group to communicate with 58 1.1 christos <command>wpa_supplicant</command> with privilege separation:</para> 59 1.1 christos 60 1.1 christos <para>Create user group (e.g., wpapriv) and assign users that 61 1.1 christos should be able to use wpa_supplicant into that group.</para> 62 1.1 christos 63 1.1 christos <para>Create /var/run/wpa_priv directory for UNIX domain sockets and 64 1.1 christos control user access by setting it accessible only for the wpapriv 65 1.1 christos group:</para> 66 1.1 christos 67 1.1 christos <blockquote><programlisting> 68 1.1 christos mkdir /var/run/wpa_priv 69 1.1 christos chown root:wpapriv /var/run/wpa_priv 70 1.1 christos chmod 0750 /var/run/wpa_priv 71 1.1 christos </programlisting></blockquote> 72 1.1 christos 73 1.1 christos <para>Start <command>wpa_priv</command> as root (e.g., from system 74 1.1 christos startup scripts) with the enabled interfaces configured on the 75 1.1 christos command line:</para> 76 1.1 christos 77 1.1 christos <blockquote><programlisting> 78 1.1 christos wpa_priv -B -c /var/run/wpa_priv -P /var/run/wpa_priv.pid wext:wlan0 79 1.1 christos </programlisting></blockquote> 80 1.1 christos 81 1.1 christos <para>Run <command>wpa_supplicant</command> as non-root with a user 82 1.1 christos that is in the wpapriv group:</para> 83 1.1 christos 84 1.1 christos <blockquote><programlisting> 85 1.1 christos wpa_supplicant -i ath0 -c wpa_supplicant.conf 86 1.1 christos </programlisting></blockquote> 87 1.1 christos 88 1.1 christos </refsect1> 89 1.1 christos <refsect1> 90 1.1 christos <title>Command Arguments</title> 91 1.1 christos <variablelist> 92 1.1 christos <varlistentry> 93 1.1 christos <term>-c ctrl path</term> 94 1.1 christos 95 1.1 christos <listitem><para>Specify the path to wpa_priv control directory 96 1.1 christos (Default: /var/run/wpa_priv/).</para></listitem> 97 1.1 christos </varlistentry> 98 1.1 christos 99 1.1 christos <varlistentry> 100 1.1 christos <term>-B</term> 101 1.1 christos <listitem><para>Run as a daemon in the background.</para></listitem> 102 1.1 christos </varlistentry> 103 1.1 christos 104 1.1 christos <varlistentry> 105 1.1 christos <term>-P file</term> 106 1.1 christos 107 1.1 christos <listitem><para>Set the location of the PID 108 1.1 christos file.</para></listitem> 109 1.1 christos </varlistentry> 110 1.1 christos 111 1.1 christos <varlistentry> 112 1.1 christos <term>driver:ifname [driver:ifname ...]</term> 113 1.1 christos 114 1.1 christos <listitem><para>The <driver> string dictates which of the 115 1.1 christos supported <command>wpa_supplicant</command> driver backends is to be 116 1.1 christos used. To get a list of supported driver types see wpa_supplicant help 117 1.1 christos (e.g, wpa_supplicant -h). The driver backend supported by most good 118 1.1 christos drivers is <emphasis>wext</emphasis>.</para> 119 1.1 christos 120 1.1 christos <para>The <ifname> string specifies which network 121 1.1 christos interface is to be managed by <command>wpa_supplicant</command> 122 1.1 christos (e.g., wlan0 or ath0).</para> 123 1.1 christos 124 1.1 christos <para><command>wpa_priv</command> does not use the network interface 125 1.1 christos before <command>wpa_supplicant</command> is started, so it is fine to 126 1.1 christos include network interfaces that are not available at the time wpa_priv 127 1.1 christos is started. wpa_priv can control multiple interfaces with one process, 128 1.1 christos but it is also possible to run multiple <command>wpa_priv</command> 129 1.1 christos processes at the same time, if desired.</para></listitem> 130 1.1 christos </varlistentry> 131 1.1 christos </variablelist> 132 1.1 christos </refsect1> 133 1.1 christos <refsect1> 134 1.1 christos <title>See Also</title> 135 1.1 christos <para> 136 1.1 christos <citerefentry> 137 1.1 christos <refentrytitle>wpa_supplicant</refentrytitle> 138 1.1 christos <manvolnum>8</manvolnum> 139 1.1 christos </citerefentry> 140 1.1 christos </para> 141 1.1 christos </refsect1> 142 1.1 christos <refsect1> 143 1.1 christos <title>Legal</title> 144 1.1.1.8 christos <para>wpa_supplicant is copyright (c) 2003-2022, 145 1.1 christos Jouni Malinen <email>j (a] w1.fi</email> and 146 1.1 christos contributors. 147 1.1 christos All Rights Reserved.</para> 148 1.1 christos 149 1.1.1.2 christos <para>This program is licensed under the BSD license (the one with 150 1.1.1.2 christos advertisement clause removed).</para> 151 1.1 christos </refsect1> 152 1.1 christos </refentry> 153
Indexes created Thu May 07 00:24:58 UTC 2026