.\" This manpage has been automatically generated by docbook2man .\" from a DocBook document. This tool can be found at: .\" .\" Please send any bug reports, improvements, comments, patches, .\" etc. to Steve Cheng . .TH "WPA_PRIV" "8" "07 August 2019" "" "" .SH NAME wpa_priv \- wpa_supplicant privilege separation helper .SH SYNOPSIS \fBwpa_priv\fR [ \fB-c \fIctrl path\fB\fR ] [ \fB-Bdd\fR ] [ \fB-P \fIpid file\fB\fR ] [ \fBdriver:ifname \fI[driver:ifname ...]\fB\fR ] .SH "OVERVIEW" .PP \fBwpa_priv\fR is a privilege separation helper that minimizes the size of \fBwpa_supplicant\fR code that needs to be run with root privileges. .PP If enabled, privileged operations are done in the wpa_priv process while leaving rest of the code (e.g., EAP authentication and WPA handshakes) to operate in an unprivileged process (wpa_supplicant) that can be run as non-root user. Privilege separation restricts the effects of potential software errors by containing the majority of the code in an unprivileged process to avoid the possibility of a full system compromise. .PP \fBwpa_priv\fR needs to be run with network admin privileges (usually, root user). It opens a UNIX domain socket for each interface that is included on the command line; any other interface will be off limits for \fBwpa_supplicant\fR in this kind of configuration. After this, \fBwpa_supplicant\fR can be run as a non-root user (e.g., all standard users on a laptop or as a special non-privileged user account created just for this purpose to limit access to user files even further). .SH "EXAMPLE CONFIGURATION" .PP The following steps are an example of how to configure \fBwpa_priv\fR to allow users in the \fBwpapriv\fR group to communicate with \fBwpa_supplicant\fR with privilege separation: .PP Create user group (e.g., wpapriv) and assign users that should be able to use wpa_supplicant into that group. .PP Create /var/run/wpa_priv directory for UNIX domain sockets and control user access by setting it accessible only for the wpapriv group: .sp .RS .nf mkdir /var/run/wpa_priv chown root:wpapriv /var/run/wpa_priv chmod 0750 /var/run/wpa_priv .fi .RE .PP Start \fBwpa_priv\fR as root (e.g., from system startup scripts) with the enabled interfaces configured on the command line: .sp .RS .nf wpa_priv -B -c /var/run/wpa_priv -P /var/run/wpa_priv.pid wext:wlan0 .fi .RE .PP Run \fBwpa_supplicant\fR as non-root with a user that is in the wpapriv group: .sp .RS .nf wpa_supplicant -i ath0 -c wpa_supplicant.conf .fi .RE .SH "COMMAND ARGUMENTS" .TP \fB-c ctrl path\fR Specify the path to wpa_priv control directory (Default: /var/run/wpa_priv/). .TP \fB-B\fR Run as a daemon in the background. .TP \fB-P file\fR Set the location of the PID file. .TP \fBdriver:ifname [driver:ifname ...]\fR The string dictates which of the supported \fBwpa_supplicant\fR driver backends is to be used. To get a list of supported driver types see wpa_supplicant help (e.g, wpa_supplicant -h). The driver backend supported by most good drivers is \fBwext\fR\&. The string specifies which network interface is to be managed by \fBwpa_supplicant\fR (e.g., wlan0 or ath0). \fBwpa_priv\fR does not use the network interface before \fBwpa_supplicant\fR is started, so it is fine to include network interfaces that are not available at the time wpa_priv is started. wpa_priv can control multiple interfaces with one process, but it is also possible to run multiple \fBwpa_priv\fR processes at the same time, if desired. .SH "SEE ALSO" .PP \fBwpa_supplicant\fR(8) .SH "LEGAL" .PP wpa_supplicant is copyright (c) 2003-2022, Jouni Malinen and contributors. All Rights Reserved. .PP This program is licensed under the BSD license (the one with advertisement clause removed).