On Wed, Jun 15, 2022 at 11:33:00AM +0200, Vincent Lefevre wrote: > On 2022-06-15 09:43:50 +0300, Reco wrote: > > Hi. > > > > On Wed, Jun 15, 2022 at 03:30:53AM +0200, Vincent Lefevre wrote: > > > On 2022-06-14 15:43:40 +0100, Brian wrote: > > > > On Tue 14 Jun 2022 at 13:15:56 +0200, Vincent Lefevre wrote: > > > > > No issues with iwlist and nmcli. > > > > > > > > /usr/sbin/wpa_gui and /sbin/wpa_cli should both give sensible outputs > > > > when run as root. > > > > > > For security reasons, I don't want to run them as root. > > > > First example they provide in wpa_supplicant.conf(5) shows the way to > > use wpa_cli sensibly without being root. > > One just needs to define a group for wpa_supplicant's control socket, like > > this: > > > > ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev > > This is either overkill (with a security risk, e.g. if this can allow > the user to become root),
It cannot allow that, barring the security bugs in wpa_supplicant. It does give the user full control over a wpa_supplicant process though (i.e. associate with arbitrary AP, terminate the process, etc). > or Debian should have done that by default. That's my option too, but wpasupplicant package does not provide wpa_supplicant.conf by default. README.Debian should mention that bit of configuration probably. > > > The iwlist and nmcli utilities don't need root to work correctly. > > > > I don't know about iwlist, but nmcli uses dbus to communicate with > > NetworkManager. From the security standpoint, such approach clearly > > loses to the simple unix socket communication restricted by natural > > POSIX permissions. > > Actually, that's iwconfig that gives interesting information, such > as the current ESSID, and it doesn't need to be run as root either. So is "iw dev ... info", which uses "modern" communication via AF_NETLINK socket. Reco
