Bug#428620: [pkg-wpa-devel] Bug#428620: Conflicting advice regarding security
Hi Loye, On Wed, 4 Jul 2007 01:43:49 pm Loye Young wrote: On Tuesday, July 3, 2007 5:14:29 pm Kel Modderman wrote: Does the emphasis on waaay indicate you want it moved somewhere else? My personal feeling is that it should be in a more natural place to look for it, and that security issues should be more prominent. At the bottom of a file dealing with modes of operation seems not intuitive. Why not just give the security issues their own README.security (or similar)? Sure, that would be good. We'd have to provide the generic group wheel too. I think that is not going to happen. I was of course using the example the documentation provided. Perhaps creating a group wireless might not be a terrible idea, though. We already provide the group netdev. README.modes suggests perms of 0600 because it describes use cases where wpa_supplicant is started as system daemon (by root) only. Yes, that's right. The question is What should be the recommended security precautions? Once that's decided, sensible defaults should be set up and the documentation conformed. Please draft something based on 3) below. The admin could use the netdev group if required, or create a group of his own naming, and would have to create/set permissions for any config files required. I see three options: (1) Set file permissions to 660 as default, with owner=root and group=root. Run as a system daemon, it would operate the same as 600. Run as a user application with a special group for wireless users, as the documentation suggests, it would automatically work when the sys admin followed the directions. (2) Keep file permissions the way they are, but add lingo to the documentation telling the sys admin to change the file permissions if he wants to allow one or more users to configure wireless without giving them su powers. (3) Set file permissions to 660, owner=root, group=wireless. Run as a system daemon, without any user in the wireless group, it's the same as 600. If the sys admin wants one or more users to be able to configure the wireless connection, he simply adds the users to the wireless group. My choice is number 3. Carrying a laptop around inevitably requires configuring the wireless settings for various local wireless network, and it's hard to predict in advance what is going to be required. Inevitably, the sys admin will have to give some sort of enhanced privileges to the user carrying the laptop. If the sys admin and the user are the same person, our buddy sudo does the trick and it's no big deal. But if the sys admin is in the IT department and the user is some salesman or consultant schlepping around in hotels and airports, the better part of valor would be to set up a wireless group and put the hapless users in that group. Option 3 would be a sensible default for file permissions, and reduce the number of configuration steps, no matter what the sys admin decided. wpasupplicant package does not provide a /etc/wpa_supplicant.conf (or any config file of that sort) anymore, therefore cannot provide default permissions for that file or any other that we don't provide. All we can provide is words of wisdom. /etc/network/interfaces is provided by another package, wpasupplicant has nothing to do with it, and never will directly. Other applications such as Network Manager govern wpa_supplicant via dbus with security policy allowing people in netdev group be involved. To carry it a step farther, the install script could ask which users should be in the wireless group, providing a list of users to select among. Thanks, Kel. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#428620: [pkg-wpa-devel] Bug#428620: Conflicting advice regarding security
Hi Loye, On Wed, 13 Jun 2007 10:18:06 am Loye Young wrote: Package: wpasupplicant Version: 0.5.7 /usr/share/doc/wpasupplicant/README.modes.gz advises (waaay down at the bottom) to set permissions to 0600 for both /etc/network/interfaces and /etc/wpa_supplicant/wpa_supplicant.conf. Does the emphasis on waaay indicate you want it moved somewhere else? /usr/share/doc/wpasupplicant/examples/README.wpa_supplicant.conf.gz advises that by setting GROUP=wheel, non-root users can use the control interface, but wpa_supplicant can run as root. However, if wpa_supplicant.conf is 0600, only root can read the file and client apps fail because they cannot read configuration file. Would it make sense to: chmod root:wheel wpa_supplicant.conf chmod 0660 wpa_supplicant.conf by default? We'd have to provide the generic group wheel too. I think that is not going to happen. README.modes suggests perms of 0600 because it describes use cases where wpa_supplicant is started as system daemon (by root) only. Thanks, Kel. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#428620: [pkg-wpa-devel] Bug#428620: Conflicting advice regarding security
On Tuesday, July 3, 2007 5:14:29 pm Kel Modderman wrote: Does the emphasis on waaay indicate you want it moved somewhere else? My personal feeling is that it should be in a more natural place to look for it, and that security issues should be more prominent. At the bottom of a file dealing with modes of operation seems not intuitive. Why not just give the security issues their own README.security (or similar)? We'd have to provide the generic group wheel too. I think that is not going to happen. I was of course using the example the documentation provided. Perhaps creating a group wireless might not be a terrible idea, though. README.modes suggests perms of 0600 because it describes use cases where wpa_supplicant is started as system daemon (by root) only. Yes, that's right. The question is What should be the recommended security precautions? Once that's decided, sensible defaults should be set up and the documentation conformed. I see three options: (1) Set file permissions to 660 as default, with owner=root and group=root. Run as a system daemon, it would operate the same as 600. Run as a user application with a special group for wireless users, as the documentation suggests, it would automatically work when the sys admin followed the directions. (2) Keep file permissions the way they are, but add lingo to the documentation telling the sys admin to change the file permissions if he wants to allow one or more users to configure wireless without giving them su powers. (3) Set file permissions to 660, owner=root, group=wireless. Run as a system daemon, without any user in the wireless group, it's the same as 600. If the sys admin wants one or more users to be able to configure the wireless connection, he simply adds the users to the wireless group. My choice is number 3. Carrying a laptop around inevitably requires configuring the wireless settings for various local wireless network, and it's hard to predict in advance what is going to be required. Inevitably, the sys admin will have to give some sort of enhanced privileges to the user carrying the laptop. If the sys admin and the user are the same person, our buddy sudo does the trick and it's no big deal. But if the sys admin is in the IT department and the user is some salesman or consultant schlepping around in hotels and airports, the better part of valor would be to set up a wireless group and put the hapless users in that group. Option 3 would be a sensible default for file permissions, and reduce the number of configuration steps, no matter what the sys admin decided. To carry it a step farther, the install script could ask which users should be in the wireless group, providing a list of users to select among. Thanks, Kel. Thank YOU! Loye Young -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]