On Mon, Jul 28, 2008 at 07:26:12AM -0400, Dan Williams wrote: > However, the supplicant does need to be able to poke wireless stuff that > requires root privs, so there may need to be privilege separation or > something like that within the supplicant like you suggest. But you > don't need to do _all_ crypto in the user session, you only need to run > the bits that derive the TLS session key (and rekeys perhaps) since > those are the only bits that really require the user secrets directly.
wpa_supplicant 0.6.x has support for privilege separation that allows the wpa_supplicant process to be run as any user (wpa_priv process will be used for operations that require root access). Actually, this moves even more than all crypto into non-root user context. -- Jouni Malinen PGP id EFC895FA _______________________________________________ NetworkManager-list mailing list [email protected] http://mail.gnome.org/mailman/listinfo/networkmanager-list
