Skip to content

wpa_supplicant: introduce unprivileged service#55802

Open
dkwo wants to merge 1 commit intovoid-linux:masterfrom
dkwo:wpas
Open

wpa_supplicant: introduce unprivileged service#55802
dkwo wants to merge 1 commit intovoid-linux:masterfrom
dkwo:wpas

Conversation

@dkwo
Copy link
Contributor

@dkwo dkwo commented Jun 14, 2025

This is the same setup that was proposed earlier, except we now create a new service, so the user can choose what to use (default to current root service). The unprivileged service has been working seamlessly for me for many months, but certain setups can be affected, e.g. wpa_cli (see also the discussion in nixpkgs).

See also the corresponging pr for dhcpcd #53404

@classabbyamp
Copy link
Member

classabbyamp commented Jun 15, 2025

what discussion in nixpkgs?

@Duncaen
Copy link
Member

Duncaen commented Jun 15, 2025

Just fully changing the ownership of the configuration directory to the writable by the unprivileged user does not seem like its necessary.

@dkwo
Copy link
Contributor Author

dkwo commented Jun 15, 2025

Refs: NixOS/nixpkgs#305722 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031375

Would chown -R _wpas:_wpas /etc/wpa_supplicant/* be better? if so, I can test it.
The reason is that there can be other files there, such as a password file (via ext_password_backend) or wifi certificates.

@Duncaen
Copy link
Member

Duncaen commented Jun 15, 2025

Maybe something like root:_wpas and make sure its only owner writable?

@dkwo
Copy link
Contributor Author

dkwo commented Jun 15, 2025

Indeed, this seems to be enough:

$ ls -la /etc/wpa_supplicant 
total 20
drwxr-xr-x  2 root root  4096 Jun 14 19:38 .
drwxr-xr-x 60 root root  4096 Jun 14 19:46 ..
-rw-r-----  1 root _wpas 2094 Oct 12  2022 eduroam.cer
-rw-r-----  1 root _wpas  215 Nov 14  2024 wifi-passwords.conf
-rw-r-----  1 root _wpas  800 Feb 23 15:37 wpa_supplicant.conf

I changed the service accordingly.
At this point, the user only needs to change control_interface_group to _wpas in the conf file to use the unprivileged service.
Does this warrant an install msg?

@dkwo
Copy link
Contributor Author

dkwo commented Sep 19, 2025

After some trial and error, I found out that I can even lockdown the file system, giving it only access to

  --landlock-access fs \
  --landlock-rule path-beneath:read-file:/proc/sys/net \
  --landlock-rule path-beneath:read-file:/dev/urandom \
  --landlock-rule path-beneath:read-file:/etc/group \
  --landlock-rule path-beneath:read-file:/etc/wpa_supplicant \
  --landlock-rule path-beneath:read-file,execute:/usr/bin/wpa_supplicant \
  --landlock-rule path-beneath:read-file,execute:/usr/lib \
  --landlock-rule path-beneath:read-file,read-dir,remove-dir,remove-file,make-sock:/run/wpa_supplicant \

Would it make sense to add this to the unprivileged service?

@github-actions
Copy link

github-actions bot commented Dec 19, 2025

Pull Requests become stale 90 days after last activity and are closed 14 days after that. If this pull request is still relevant bump it or assign it.

@github-actions github-actions bot added the Stale label Dec 19, 2025
@github-actions github-actions bot removed the Stale label Dec 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dkwo @classabbyamp @Duncaen