1WPA_PRIV(8) WPA_PRIV(8)
2
6 wpa_priv - wpa_supplicant privilege separation helper
7
9 wpa_priv [ -c ctrl path ] [ -Bdd ] [ -P pid file ] [ driver:ifname
10 [driver:ifname ...] ]
11
14 wpa_priv is a privilege separation helper that minimizes the size of
15 wpa_supplicant code that needs to be run with root privileges.
16 If enabled, privileged operations are done in the wpa_priv process
18 while leaving rest of the code (e.g., EAP authentication and WPA hand‐
19 shakes) to operate in an unprivileged process (wpa_supplicant) that can
20 be run as non-root user. Privilege separation restricts the effects of
21 potential software errors by containing the majority of the code in an
22 unprivileged process to avoid the possibility of a full system compro‐
23 mise.
24 wpa_priv needs to be run with network admin privileges (usually, root
26 user). It opens a UNIX domain socket for each interface that is
27 included on the command line; any other interface will be off limits
28 for wpa_supplicant in this kind of configuration. After this, wpa_sup‐
29 plicant can be run as a non-root user (e.g., all standard users on a
30 laptop or as a special non-privileged user account created just for
31 this purpose to limit access to user files even further).
32
34 The following steps are an example of how to configure wpa_priv to
35 allow users in the wpapriv group to communicate with wpa_supplicant
36 with privilege separation:
37 Create user group (e.g., wpapriv) and assign users that should be able
39 to use wpa_supplicant into that group.
40 Create /var/run/wpa_priv directory for UNIX domain sockets and control
42 user access by setting it accessible only for the wpapriv group:
43 mkdir /var/run/wpa_priv
46 chown root:wpapriv /var/run/wpa_priv
47 chmod 0750 /var/run/wpa_priv
48 Start wpa_priv as root (e.g., from system startup scripts) with the
50 enabled interfaces configured on the command line:
51 wpa_priv -B -c /var/run/wpa_priv -P /var/run/wpa_priv.pid wext:wlan0
54 Run wpa_supplicant as non-root with a user that is in the wpapriv
56 group:
57 wpa_supplicant -i ath0 -c wpa_supplicant.conf
60
62 -c ctrl path
63 Specify the path to wpa_priv control directory (Default:
64 /var/run/wpa_priv/).
65 -B Run as a daemon in the background.
67 -P file
69 Set the location of the PID file.
70 driver:ifname [driver:ifname ...]
72 The <driver> string dictates which of the supported wpa_suppli‐
73 cant driver backends is to be used. To get a list of supported
74 driver types see wpa_supplicant help (e.g, wpa_supplicant -h).
75 The driver backend supported by most good drivers is wext.
76 The <ifname> string specifies which network interface is to be
78 managed by wpa_supplicant (e.g., wlan0 or ath0).
79 wpa_priv does not use the network interface before wpa_suppli‐
81 cant is started, so it is fine to include network interfaces
82 that are not available at the time wpa_priv is started. wpa_priv
83 can control multiple interfaces with one process, but it is also
84 possible to run multiple wpa_priv processes at the same time, if
85 desired.
86
88 wpa_supplicant(8)
89
91 wpa_supplicant is copyright (c) 2003-2007, Jouni Malinen <j@w1.fi> and
92 contributors. All Rights Reserved.
93 This program is dual-licensed under both the GPL version 2 and BSD
95 license. Either license may be used at your option.
96 15 February 2009 WPA_PRIV(8)