diff options
Diffstat (limited to 'contrib/wpa/wpa_supplicant/doc/docbook/wpa_priv.sgml')
-rw-r--r-- | contrib/wpa/wpa_supplicant/doc/docbook/wpa_priv.sgml | 148 |
1 files changed, 0 insertions, 148 deletions
diff --git a/contrib/wpa/wpa_supplicant/doc/docbook/wpa_priv.sgml b/contrib/wpa/wpa_supplicant/doc/docbook/wpa_priv.sgml deleted file mode 100644 index eb907a8..0000000 --- a/contrib/wpa/wpa_supplicant/doc/docbook/wpa_priv.sgml +++ /dev/null @@ -1,148 +0,0 @@ -<!doctype refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN"> - -<refentry> - <refmeta> - <refentrytitle>wpa_priv</refentrytitle> - <manvolnum>8</manvolnum> - </refmeta> - <refnamediv> - <refname>wpa_priv</refname> - - <refpurpose>wpa_supplicant privilege separation helper</refpurpose> - </refnamediv> - - <refsynopsisdiv> - <cmdsynopsis> - <command>wpa_priv</command> - <arg>-c <replaceable>ctrl path</replaceable></arg> - <arg>-Bdd</arg> - <arg>-P <replaceable>pid file</replaceable></arg> - <arg>driver:ifname <replaceable>[driver:ifname ...]</replaceable></arg> - </cmdsynopsis> - </refsynopsisdiv> - - <refsect1> - <title>Overview</title> - - <para><command>wpa_priv</command> is a privilege separation helper that - minimizes the size of <command>wpa_supplicant</command> code that needs - to be run with root privileges.</para> - - <para>If enabled, privileged operations are done in the wpa_priv process - while leaving rest of the code (e.g., EAP authentication and WPA - handshakes) to operate in an unprivileged process (wpa_supplicant) that - can be run as non-root user. Privilege separation restricts the effects - of potential software errors by containing the majority of the code in an - unprivileged process to avoid the possibility of a full system - compromise.</para> - - <para><command>wpa_priv</command> needs to be run with network admin - privileges (usually, root user). It opens a UNIX domain socket for each - interface that is included on the command line; any other interface will - be off limits for <command>wpa_supplicant</command> in this kind of - configuration. After this, <command>wpa_supplicant</command> can be run as - a non-root user (e.g., all standard users on a laptop or as a special - non-privileged user account created just for this purpose to limit access - to user files even further).</para> - </refsect1> - <refsect1> - <title>Example configuration</title> - - <para>The following steps are an example of how to configure - <command>wpa_priv</command> to allow users in the - <emphasis>wpapriv</emphasis> group to communicate with - <command>wpa_supplicant</command> with privilege separation:</para> - - <para>Create user group (e.g., wpapriv) and assign users that - should be able to use wpa_supplicant into that group.</para> - - <para>Create /var/run/wpa_priv directory for UNIX domain sockets and - control user access by setting it accessible only for the wpapriv - group:</para> - -<blockquote><programlisting> -mkdir /var/run/wpa_priv -chown root:wpapriv /var/run/wpa_priv -chmod 0750 /var/run/wpa_priv -</programlisting></blockquote> - - <para>Start <command>wpa_priv</command> as root (e.g., from system - startup scripts) with the enabled interfaces configured on the - command line:</para> - -<blockquote><programlisting> -wpa_priv -B -c /var/run/wpa_priv -P /var/run/wpa_priv.pid wext:wlan0 -</programlisting></blockquote> - - <para>Run <command>wpa_supplicant</command> as non-root with a user - that is in the wpapriv group:</para> - -<blockquote><programlisting> -wpa_supplicant -i ath0 -c wpa_supplicant.conf -</programlisting></blockquote> - - </refsect1> - <refsect1> - <title>Command Arguments</title> - <variablelist> - <varlistentry> - <term>-c ctrl path</term> - - <listitem><para>Specify the path to wpa_priv control directory - (Default: /var/run/wpa_priv/).</para></listitem> - </varlistentry> - - <varlistentry> - <term>-B</term> - <listitem><para>Run as a daemon in the background.</para></listitem> - </varlistentry> - - <varlistentry> - <term>-P file</term> - - <listitem><para>Set the location of the PID - file.</para></listitem> - </varlistentry> - - <varlistentry> - <term>driver:ifname [driver:ifname ...]</term> - - <listitem><para>The <driver> string dictates which of the - supported <command>wpa_supplicant</command> driver backends is to be - used. To get a list of supported driver types see wpa_supplicant help - (e.g, wpa_supplicant -h). The driver backend supported by most good - drivers is <emphasis>wext</emphasis>.</para> - - <para>The <ifname> string specifies which network - interface is to be managed by <command>wpa_supplicant</command> - (e.g., wlan0 or ath0).</para> - - <para><command>wpa_priv</command> does not use the network interface - before <command>wpa_supplicant</command> is started, so it is fine to - include network interfaces that are not available at the time wpa_priv - is started. wpa_priv can control multiple interfaces with one process, - but it is also possible to run multiple <command>wpa_priv</command> - processes at the same time, if desired.</para></listitem> - </varlistentry> - </variablelist> - </refsect1> - <refsect1> - <title>See Also</title> - <para> - <citerefentry> - <refentrytitle>wpa_supplicant</refentrytitle> - <manvolnum>8</manvolnum> - </citerefentry> - </para> - </refsect1> - <refsect1> - <title>Legal</title> - <para>wpa_supplicant is copyright (c) 2003-2012, - Jouni Malinen <email>j@w1.fi</email> and - contributors. - All Rights Reserved.</para> - - <para>This program is licensed under the BSD license (the one with - advertisement clause removed).</para> - </refsect1> -</refentry> |