Roy Marples writes: > On 13/01/2019 10:20, matthew green wrote: > > shouldn't one need to be root to modify network configuration? > > i shouldn't be able to tell wpa_supplicant to do something as > > non-root, in a default install. > > In a default install the only member of wheel is root and wpa_supplicant > is not started. > > I suppose the real question is do we want to allow group access to > wpa_supplicant and if so which group if not wheel? > > If we don't want to allow group access I may as well revert my changes > and setup is then as before - the user is expected to configure > everything themselves and wpa_cli won't work by default. This would be a > shame as I've had a lot of positive feedback on this change already.
i don't want to allow configuration changes by non root. that should be fairly obvious and not something anyone would question. group 'wheel' means access to root, not that it gives you additional privs immediately. if it did there would be no point in having group 'wheel' -- may as well just make all the wheel users uid 0, since that is the security provided. it would be OK if this was _read-only_ access to network configuration, but one should never be allowed to change the it unless root. ie, i'm not objecting to having a better default wpa_supplicant configuration, but don't remove security layers in the process. (i wouldn't pick 'wheel' as this group -- i would invent a new group either called 'net' or 'wpa', with no underscore since they're designed to be assigned, unlike the groups for specific programs security models.) .mrg.