1WPA_PRIV(8)                                                        WPA_PRIV(8)
2
3
4

NAME

6       wpa_priv - wpa_supplicant privilege separation helper
7

SYNOPSIS

9       wpa_priv  [  -c ctrl path ]  [ -Bdd ]  [ -P pid file ]  [ driver:ifname
10       [driver:ifname ...] ]
11

OVERVIEW

13       wpa_priv is a privilege separation helper that minimizes  the  size  of
14       wpa_supplicant code that needs to be run with root privileges.
15
16       If  enabled,  privileged  operations  are  done in the wpa_priv process
17       while leaving rest of the code (e.g., EAP authentication and WPA  hand‐
18       shakes) to operate in an unprivileged process (wpa_supplicant) that can
19       be run as non-root user. Privilege separation restricts the effects  of
20       potential  software errors by containing the majority of the code in an
21       unprivileged process to avoid the possibility of a full system  compro‐
22       mise.
23
24       wpa_priv  needs  to be run with network admin privileges (usually, root
25       user). It opens a  UNIX  domain  socket  for  each  interface  that  is
26       included  on  the  command line; any other interface will be off limits
27       for wpa_supplicant in this kind of configuration. After this,  wpa_sup‐
28       plicant  can  be  run as a non-root user (e.g., all standard users on a
29       laptop or as a special non-privileged user  account  created  just  for
30       this purpose to limit access to user files even further).
31

EXAMPLE CONFIGURATION

33       The  following  steps  are  an  example of how to configure wpa_priv to
34       allow users in the wpapriv group  to  communicate  with  wpa_supplicant
35       with privilege separation:
36
37       Create  user group (e.g., wpapriv) and assign users that should be able
38       to use wpa_supplicant into that group.
39
40       Create /var/run/wpa_priv directory for UNIX domain sockets and  control
41       user access by setting it accessible only for the wpapriv group:
42
43
44              mkdir /var/run/wpa_priv
45              chown root:wpapriv /var/run/wpa_priv
46              chmod 0750 /var/run/wpa_priv
47
48
49
50       Start  wpa_priv  as  root  (e.g., from system startup scripts) with the
51       enabled interfaces configured on the command line:
52
53
54              wpa_priv -B -c /var/run/wpa_priv -P /var/run/wpa_priv.pid wext:wlan0
55
56
57
58       Run wpa_supplicant as non-root with a  user  that  is  in  the  wpapriv
59       group:
60
61
62              wpa_supplicant -i ath0 -c wpa_supplicant.conf
63
64
65

COMMAND ARGUMENTS

67       -c ctrl path
68              Specify   the  path  to  wpa_priv  control  directory  (Default:
69              /var/run/wpa_priv/).
70
71       -B     Run as a daemon in the background.
72
73       -P file
74              Set the location of the PID file.
75
76       driver:ifname [driver:ifname ...]
77              The <driver> string dictates which of the supported  wpa_suppli‐
78              cant  driver  backends is to be used. To get a list of supported
79              driver types see wpa_supplicant help (e.g,  wpa_supplicant  -h).
80              The driver backend supported by most good drivers is wext.
81
82              The  <ifname>  string specifies which network interface is to be
83              managed by wpa_supplicant (e.g., wlan0 or ath0).
84
85              wpa_priv does not use the network interface  before  wpa_suppli‐
86              cant  is  started,  so  it is fine to include network interfaces
87              that are not available at the time wpa_priv is started. wpa_priv
88              can control multiple interfaces with one process, but it is also
89              possible to run multiple wpa_priv processes at the same time, if
90              desired.
91

SEE ALSO

93       wpa_supplicant(8)
94
96       wpa_supplicant  is copyright (c) 2003-2019, Jouni Malinen <j@w1.fi> and
97       contributors.  All Rights Reserved.
98
99       This program is licensed under the BSD license (the one with advertise‐
100       ment clause removed).
101
102
103
104                                 01 March 2021                     WPA_PRIV(8)
Impressum