[pkg-wpa-devel] Bug#428620: Bug#428620: Conflicting advice regarding security

Thu Jul 5 12:48:10 UTC 2007

Hi Loye,

On Wed, 4 Jul 2007 01:43:49 pm Loye Young wrote:
> On Tuesday, July 3, 2007 5:14:29 pm Kel Modderman wrote:
> > Does the emphasis on "waaayyyyy" indicate you want it moved somewhere
> > else?
>
> My personal feeling is that it should be in a more natural place to look
> for it, and that security issues should be more prominent. At the bottom of
> a file dealing with modes of operation seems not intuitive. Why not just
> give the security issues their own README.security (or similar)?

Sure, that would be good.

>
> > We'd have to provide the generic group "wheel" too. I think that is not
> > going to happen.
>
> I was of course using the example the documentation provided. Perhaps
> creating a group "wireless" might not be a terrible idea, though.

We already provide the group "netdev".

>
> > README.modes suggests perms of 0600 because it describes use cases where
> > wpa_supplicant is started as system daemon (by root) only.
>
> Yes, that's right. The question is "What should be the recommended security
> precautions?" Once that's decided, sensible defaults should be set up and
> the documentation conformed.

Please draft something based on 3) below. The admin could use the "netdev" 
group if required, or create a group of his own naming, and would have to 
create/set permissions for any config files required.

>
> I see three options:
> (1) Set file permissions to 660 as default, with owner=root and group=root.
> Run as a system daemon, it would operate the same as 600. Run as a user
> application with a special group for wireless users, as the documentation
> suggests, it would automatically work when the sys admin followed the
> directions.
> (2) Keep file permissions the way they are, but add lingo to the
> documentation telling the sys admin to change the file permissions if he
> wants to allow one or more users to configure wireless without giving them
> su powers. (3) Set file permissions to 660, owner=root, group=wireless. Run
> as a system daemon, without any user in the wireless group, it's the same
> as 600. If the sys admin wants one or more users to be able to configure
> the wireless connection, he simply adds the users to the wireless group.
>
> My choice is number 3. Carrying a laptop around inevitably requires
> configuring the wireless settings for various local wireless network, and
> it's hard to predict in advance what is going to be required. Inevitably,
> the sys admin will have to give some sort of enhanced privileges to the
> user carrying the laptop. If the sys admin and the user are the same
> person, our buddy sudo does the trick and it's no big deal. But if the sys
> admin is in the IT department and the user is some salesman or consultant
> schlepping around in hotels and airports, the better part of valor would be
> to set up a wireless group and put the hapless users in that group. Option
> 3 would be a sensible default for file permissions, and reduce the number
> of configuration steps, no matter what the sys admin decided.

wpasupplicant package does not provide a "/etc/wpa_supplicant.conf" (or any 
config file of that sort) anymore, therefore cannot provide default 
permissions for that file or any other that we don't provide. All we can 
provide is words of wisdom.

/etc/network/interfaces is provided by another package, wpasupplicant has 
nothing to do with it, and never will directly.

Other applications such as Network Manager govern wpa_supplicant via dbus with 
security policy allowing people in "netdev" group be involved.

>
> To carry it a step farther, the install script could ask which users should
> be in the "wireless" group, providing a list of users to select among.

Thanks, Kel.