On 2022-06-15 09:43:50 +0300, Reco wrote: > Hi. > > On Wed, Jun 15, 2022 at 03:30:53AM +0200, Vincent Lefevre wrote: > > On 2022-06-14 15:43:40 +0100, Brian wrote: > > > On Tue 14 Jun 2022 at 13:15:56 +0200, Vincent Lefevre wrote: > > > > No issues with iwlist and nmcli. > > > > > > /usr/sbin/wpa_gui and /sbin/wpa_cli should both give sensible outputs > > > when run as root. > > > > For security reasons, I don't want to run them as root. > > First example they provide in wpa_supplicant.conf(5) shows the way to > use wpa_cli sensibly without being root. > One just needs to define a group for wpa_supplicant's control socket, like > this: > > ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
This is either overkill (with a security risk, e.g. if this can allow the user to become root), or Debian should have done that by default. > Add a user to a netdev group and you're set. I'm already in the netdev group (this was done automatically at Debian installation time). > > The iwlist and nmcli utilities don't need root to work correctly. > > I don't know about iwlist, but nmcli uses dbus to communicate with > NetworkManager. From the security standpoint, such approach clearly > loses to the simple unix socket communication restricted by natural > POSIX permissions. Actually, that's iwconfig that gives interesting information, such as the current ESSID, and it doesn't need to be run as root either. According to strace, it uses a socket and various SIOCGIW* ioctl calls, e.g. SIOCGIWESSID. I suppose that this is a bit like http://papermint-designs.com/dmo-blog/2016-08-how-to-get-the-essid-of-the-wifi-network-you-are-connected-to- (the author also used strace on iwconfig to find the method). -- Vincent Lefèvre <[email protected]> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
