On Tuesday, July 3, 2007 5:14:29 pm Kel Modderman wrote: > > Does the emphasis on "waaayyyyy" indicate you want it moved somewhere else? My personal feeling is that it should be in a more natural place to look for it, and that security issues should be more prominent. At the bottom of a file dealing with modes of operation seems not intuitive. Why not just give the security issues their own README.security (or similar)?
> We'd have to provide the generic group "wheel" too. I think that is not > going to happen. I was of course using the example the documentation provided. Perhaps creating a group "wireless" might not be a terrible idea, though. > > README.modes suggests perms of 0600 because it describes use cases where > wpa_supplicant is started as system daemon (by root) only. Yes, that's right. The question is "What should be the recommended security precautions?" Once that's decided, sensible defaults should be set up and the documentation conformed. I see three options: (1) Set file permissions to 660 as default, with owner=root and group=root. Run as a system daemon, it would operate the same as 600. Run as a user application with a special group for wireless users, as the documentation suggests, it would automatically work when the sys admin followed the directions. (2) Keep file permissions the way they are, but add lingo to the documentation telling the sys admin to change the file permissions if he wants to allow one or more users to configure wireless without giving them su powers. (3) Set file permissions to 660, owner=root, group=wireless. Run as a system daemon, without any user in the wireless group, it's the same as 600. If the sys admin wants one or more users to be able to configure the wireless connection, he simply adds the users to the wireless group. My choice is number 3. Carrying a laptop around inevitably requires configuring the wireless settings for various local wireless network, and it's hard to predict in advance what is going to be required. Inevitably, the sys admin will have to give some sort of enhanced privileges to the user carrying the laptop. If the sys admin and the user are the same person, our buddy sudo does the trick and it's no big deal. But if the sys admin is in the IT department and the user is some salesman or consultant schlepping around in hotels and airports, the better part of valor would be to set up a wireless group and put the hapless users in that group. Option 3 would be a sensible default for file permissions, and reduce the number of configuration steps, no matter what the sys admin decided. To carry it a step farther, the install script could ask which users should be in the "wireless" group, providing a list of users to select among. > > Thanks, Kel. Thank YOU! Loye Young -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
