1WPA_PRIV(8)                                                        WPA_PRIV(8)
2
3
4

NAME

6       wpa_priv - wpa_supplicant privilege separation helper
7

SYNOPSIS

9       wpa_priv  [  -c ctrl path ]  [ -Bdd ]  [ -P pid file ]  [ driver:ifname
10       [driver:ifname ...] ]
11

OVERVIEW

13       wpa_priv is a privilege separation helper that minimizes  the  size  of
14       wpa_supplicant code that needs to be run with root privileges.
15
16       If  enabled,  privileged  operations  are  done in the wpa_priv process
17       while leaving rest of the code (e.g., EAP authentication and WPA  hand‐
18       shakes) to operate in an unprivileged process (wpa_supplicant) that can
19       be run as non-root user. Privilege separation restricts the effects  of
20       potential  software errors by containing the majority of the code in an
21       unprivileged process to avoid the possibility of a full system  compro‐
22       mise.
23
24       wpa_priv  needs  to be run with network admin privileges (usually, root
25       user). It opens a UNIX domain socket for each  interface  that  is  in‐
26       cluded  on the command line; any other interface will be off limits for
27       wpa_supplicant in this kind of configuration. After  this,  wpa_suppli‐
28       cant  can be run as a non-root user (e.g., all standard users on a lap‐
29       top or as a special non-privileged user account created just  for  this
30       purpose to limit access to user files even further).
31

EXAMPLE CONFIGURATION

33       The  following steps are an example of how to configure wpa_priv to al‐
34       low users in the wpapriv group to communicate with wpa_supplicant  with
35       privilege separation:
36
37       Create  user group (e.g., wpapriv) and assign users that should be able
38       to use wpa_supplicant into that group.
39
40       Create /var/run/wpa_priv directory for UNIX domain sockets and  control
41       user access by setting it accessible only for the wpapriv group:
42
43
44              mkdir /var/run/wpa_priv
45              chown root:wpapriv /var/run/wpa_priv
46              chmod 0750 /var/run/wpa_priv
47
48
49
50       Start wpa_priv as root (e.g., from system startup scripts) with the en‐
51       abled interfaces configured on the command line:
52
53
54              wpa_priv -B -c /var/run/wpa_priv -P /var/run/wpa_priv.pid wext:wlan0
55
56
57
58       Run wpa_supplicant as non-root with a  user  that  is  in  the  wpapriv
59       group:
60
61
62              wpa_supplicant -i ath0 -c wpa_supplicant.conf
63
64
65

COMMAND ARGUMENTS

67       -c ctrl path
68              Specify   the  path  to  wpa_priv  control  directory  (Default:
69              /var/run/wpa_priv/).
70
71       -B     Run as a daemon in the background.
72
73       -P file
74              Set the location of the PID file.
75
76       driver:ifname [driver:ifname ...]
77              The <driver> string dictates which of the supported  wpa_suppli‐
78              cant  driver  backends is to be used. To get a list of supported
79              driver types see wpa_supplicant help (e.g,  wpa_supplicant  -h).
80              The driver backend supported by most good drivers is wext.
81
82              The  <ifname>  string specifies which network interface is to be
83              managed by wpa_supplicant (e.g., wlan0 or ath0).
84
85              wpa_priv does not use the network interface  before  wpa_suppli‐
86              cant  is  started,  so  it is fine to include network interfaces
87              that are not available at the time wpa_priv is started. wpa_priv
88              can control multiple interfaces with one process, but it is also
89              possible to run multiple wpa_priv processes at the same time, if
90              desired.
91

SEE ALSO

93       wpa_supplicant(8)
94
96       wpa_supplicant  is copyright (c) 2003-2019, Jouni Malinen <j@w1.fi> and
97       contributors.  All Rights Reserved.
98
99       This program is licensed under the BSD license (the one with advertise‐
100       ment clause removed).
101
102
103
104                                 24 July 2021                      WPA_PRIV(8)
Impressum