Maybe it should be something like:
```bash
groupadd ubus
for user in "root ..."; do
usermod -a -G ubus "${user}"
done
chgrp ubus /sbin/uci /var/run/ubus.sock
chmod g+rw /var/run/ubus.sock
chmod g+rwx /sbin/uci
chmod o-rwx /sbin/uci /var/run/ubus.sock
```
What would this break?
I'm sorry for wading into this. As with any security related discussion
strawpeople can be made to support any particular thread pulling into
infinity.
Would I love to see namespaces used as part of the base Openwrt
architecture; absolutely. It's been discussed in the past; routing in
particular
>From a least privileges perspective:
- chmod o-rwx /var/run/hostapd-phyX.conf
- chmod o-x uci # setfacl?
Compromise of a service running as a different user should not result in
disclosure of sensitive keys only necessary for different services.
No. If you have physical access to the node and/or a valid login as Admin
then any form of PSK is vulnerable.
If you are concerned about PSK's being exposed then you have the option to
run 802.1x auth and issue issues tokens out of radius/IDM that is secured
elsewhere than on the AP itself.
On
Hi,
the configuration files for hostapd (/var/run/hostapd-phyX.conf) are readable
for everyone. This means everyone can read the wifi passwords. If a non
privileged user calls 'uci show wireless', he will also get all wifi passwords.
This possible e.g. for user nobody and dnsmasq.
Is this a a