Control: severity -1 minor Hi
On Monday 28 October 2013, Andrew Shadura wrote:
> Hi,
>
> One more thought: wpasupplicant.conf may be what you want.
Using a wpasupplicant.conf should indeed avoid this, e.g.:
allow-hotplug wlan0
iface wlan0 inet manual
wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
iface xyz-work inet dhcp
See /usr/share/doc/wpa_supplicant/README.Debian.gz and the examples
under that directory for details.
While I currently don't have access to wpa-enterprise encrypted
networks, all you should end up seeing via "ifup -v" is something
like:
Configuring interface wlan0=wlan0 (inet)
[…]
run-parts: executing /etc/network/if-pre-up.d/wpasupplicant
wpa_supplicant: wait for wpa_cli to attach
wpa_supplicant: wpa-driver nl80211,wext (default)
wpa_supplicant: /sbin/wpa_supplicant -s -B -P /var/run/wpa_supplicant.wlan0.pid
-i wlan0 -W -D nl80211,wext -c /etc/wpa_supplicant/wpa_supplicant.conf
Starting /sbin/wpa_supplicant...
wpa_supplicant: creating sendsigs omission pidfile:
/run/sendsigs.omit.d/wpasupplicant.wpa_supplicant.wlan0.pid
wpa_supplicant: ctrl_interface socket located at /var/run/wpa_supplicant/wlan0
[…]
run-parts: executing /etc/network/if-up.d/wpasupplicant
wpa_supplicant: /sbin/wpa_cli -B -P /var/run/wpa_action.wlan0.pid -i wlan0 -p
/var/run/wpa_supplicant -a /sbin/wpa_action
Starting /sbin/wpa_cli...
I'm adjusting the severity of this bug to minor, as an ordinary user
can't query this information. Actually I'm not quite sure if it
qualifies for a security tag either, but I'll keep that for the time
being.
$ /sbin/ifup -v wlan0
/sbin/ifup: failed to open lockfile /run/network/.ifstate.lock: Permission
denied
You have to elevate its capabilities to root (via sudo) - at this point
the user has been granted unresticted access to ifup and its options
anyways, including access to the wireless credentials.
While I will audit the wpa_supplicant hooks into ifupdown again (as
there are several changes planned anyways[1]), it would help me if you
could provide the full, obfuscated(!) (replace your password and other
private information with XXXXX), results of ifup -v for a
wpa-enterprise network.
As an, unrelated, remark, it's usually best not to mix the wireless-*
and wpa-* namespace for the same interface stanza, although doing so
shouldn't be harmful -as long as the settings agree-, doing so might
create subtile race conditions between wireless-tools and
wpa_supplicant trying to configure the interface (you only get away
with this, because wireless-tools is more or less state-less and not
a dæmon).
Regards
Stefan Lippers-Hollmann
[1] better DBus coexistence and #728092
signature.asc
Description: This is a digitally signed message part.
