1WPA_PRIV(8) WPA_PRIV(8)
2
3
4
6 wpa_priv - wpa_supplicant privilege separation helper
7
9 wpa_priv [ -c ctrl path ] [ -Bdd ] [ -P pid file ] [ driver:ifname
10 [driver:ifname ...] ]
11
13 wpa_priv is a privilege separation helper that minimizes the size of
14 wpa_supplicant code that needs to be run with root privileges.
15
16 If enabled, privileged operations are done in the wpa_priv process
17 while leaving rest of the code (e.g., EAP authentication and WPA hand‐
18 shakes) to operate in an unprivileged process (wpa_supplicant) that can
19 be run as non-root user. Privilege separation restricts the effects of
20 potential software errors by containing the majority of the code in an
21 unprivileged process to avoid the possibility of a full system compro‐
22 mise.
23
24 wpa_priv needs to be run with network admin privileges (usually, root
25 user). It opens a UNIX domain socket for each interface that is in‐
26 cluded on the command line; any other interface will be off limits for
27 wpa_supplicant in this kind of configuration. After this, wpa_suppli‐
28 cant can be run as a non-root user (e.g., all standard users on a lap‐
29 top or as a special non-privileged user account created just for this
30 purpose to limit access to user files even further).
31
33 The following steps are an example of how to configure wpa_priv to al‐
34 low users in the wpapriv group to communicate with wpa_supplicant with
35 privilege separation:
36
37 Create user group (e.g., wpapriv) and assign users that should be able
38 to use wpa_supplicant into that group.
39
40 Create /var/run/wpa_priv directory for UNIX domain sockets and control
41 user access by setting it accessible only for the wpapriv group:
42
43
44 mkdir /var/run/wpa_priv
45 chown root:wpapriv /var/run/wpa_priv
46 chmod 0750 /var/run/wpa_priv
47
48
49
50 Start wpa_priv as root (e.g., from system startup scripts) with the en‐
51 abled interfaces configured on the command line:
52
53
54 wpa_priv -B -c /var/run/wpa_priv -P /var/run/wpa_priv.pid wext:wlan0
55
56
57
58 Run wpa_supplicant as non-root with a user that is in the wpapriv
59 group:
60
61
62 wpa_supplicant -i ath0 -c wpa_supplicant.conf
63
64
65
67 -c ctrl path
68 Specify the path to wpa_priv control directory (Default:
69 /var/run/wpa_priv/).
70
71 -B Run as a daemon in the background.
72
73 -P file
74 Set the location of the PID file.
75
76 driver:ifname [driver:ifname ...]
77 The <driver> string dictates which of the supported wpa_suppli‐
78 cant driver backends is to be used. To get a list of supported
79 driver types see wpa_supplicant help (e.g, wpa_supplicant -h).
80 The driver backend supported by most good drivers is wext.
81
82 The <ifname> string specifies which network interface is to be
83 managed by wpa_supplicant (e.g., wlan0 or ath0).
84
85 wpa_priv does not use the network interface before wpa_suppli‐
86 cant is started, so it is fine to include network interfaces
87 that are not available at the time wpa_priv is started. wpa_priv
88 can control multiple interfaces with one process, but it is also
89 possible to run multiple wpa_priv processes at the same time, if
90 desired.
91
93 wpa_supplicant(8)
94
96 wpa_supplicant is copyright (c) 2003-2019, Jouni Malinen <j@w1.fi> and
97 contributors. All Rights Reserved.
98
99 This program is licensed under the BSD license (the one with advertise‐
100 ment clause removed).
101
102
103
104 24 July 2021 WPA_PRIV(8)