>From a least privileges perspective: - chmod o-rwx /var/run/hostapd-phyX.conf - chmod o-x uci # setfacl?
Compromise of a service running as a different user should not result in disclosure of sensitive keys only necessary for different services. https://openwrt.org/docs/guide-user/security/security-features mentions procd jail / chroot? AFAIU, LXC is not available in the default kernel builds in any router? LXC would be an additional layer of defenses over and above chroot, which isn't seccomp On Fri, Apr 17, 2020, 5:13 AM Joel Wirāmu Pauling <j...@aenertia.net> wrote: > No. If you have physical access to the node and/or a valid login as Admin > then any form of PSK is vulnerable. > > If you are concerned about PSK's being exposed then you have the option to > run 802.1x auth and issue issues tokens out of radius/IDM that is secured > elsewhere than on the AP itself. > > On Fri, 17 Apr 2020 at 20:16, e9hack <e9h...@gmail.com> wrote: > >> Hi, >> >> the configuration files for hostapd (/var/run/hostapd-phyX.conf) are >> readable for everyone. This means everyone can read the wifi passwords. If >> a non privileged user calls 'uci show wireless', he will also get all wifi >> passwords. This possible e.g. for user nobody and dnsmasq. >> >> Is this a a security issue? >> >> Regards, >> Hartmut >> >> _______________________________________________ >> openwrt-devel mailing list >> openwrt-devel@lists.openwrt.org >> https://lists.openwrt.org/mailman/listinfo/openwrt-devel >> > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel >
_______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
