void-packages icon indicating copy to clipboard operation
void-packages copied to clipboard
verified publisher icon void-linux

wpa_supplicant: introduce unprivileged service

Open dkwo opened this issue 6 months ago • 5 comments

This is the same setup that was proposed earlier, except we now create a new service, so the user can choose what to use (default to current root service). The unprivileged service has been working seamlessly for me for many months, but certain setups can be affected, e.g. wpa_cli (see also the discussion in nixpkgs).

See also the corresponging pr for dhcpcd #53404

dkwo avatar Jun 14 '25 23:06 dkwo

what discussion in nixpkgs?

classabbyamp avatar Jun 15 '25 00:06 classabbyamp

Just fully changing the ownership of the configuration directory to the writable by the unprivileged user does not seem like its necessary.

Duncaen avatar Jun 15 '25 01:06 Duncaen

Refs: https://github.com/NixOS/nixpkgs/pull/305722 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031375

Would chown -R _wpas:_wpas /etc/wpa_supplicant/* be better? if so, I can test it. The reason is that there can be other files there, such as a password file (via ext_password_backend) or wifi certificates.

dkwo avatar Jun 15 '25 13:06 dkwo

Maybe something like root:_wpas and make sure its only owner writable?

Duncaen avatar Jun 15 '25 13:06 Duncaen

Indeed, this seems to be enough:

$ ls -la /etc/wpa_supplicant 
total 20
drwxr-xr-x  2 root root  4096 Jun 14 19:38 .
drwxr-xr-x 60 root root  4096 Jun 14 19:46 ..
-rw-r-----  1 root _wpas 2094 Oct 12  2022 eduroam.cer
-rw-r-----  1 root _wpas  215 Nov 14  2024 wifi-passwords.conf
-rw-r-----  1 root _wpas  800 Feb 23 15:37 wpa_supplicant.conf

I changed the service accordingly. At this point, the user only needs to change control_interface_group to _wpas in the conf file to use the unprivileged service. Does this warrant an install msg?

dkwo avatar Jun 15 '25 14:06 dkwo

After some trial and error, I found out that I can even lockdown the file system, giving it only access to

  --landlock-access fs \
  --landlock-rule path-beneath:read-file:/proc/sys/net \
  --landlock-rule path-beneath:read-file:/dev/urandom \
  --landlock-rule path-beneath:read-file:/etc/group \
  --landlock-rule path-beneath:read-file:/etc/wpa_supplicant \
  --landlock-rule path-beneath:read-file,execute:/usr/bin/wpa_supplicant \
  --landlock-rule path-beneath:read-file,execute:/usr/lib \
  --landlock-rule path-beneath:read-file,read-dir,remove-dir,remove-file,make-sock:/run/wpa_supplicant \

Would it make sense to add this to the unprivileged service?

dkwo avatar Sep 19 '25 15:09 dkwo