.\" This manpage has been automatically generated by docbook2man
.\" from a DocBook document. This tool can be found at:
.\"
.\" Please send any bug reports, improvements, comments, patches,
.\" etc. to Steve Cheng .
.TH "WPA_PRIV" "8" "07 August 2019" "" ""
.SH NAME
wpa_priv \- wpa_supplicant privilege separation helper
.SH SYNOPSIS
\fBwpa_priv\fR [ \fB-c \fIctrl path\fB\fR ] [ \fB-Bdd\fR ] [ \fB-P \fIpid file\fB\fR ] [ \fBdriver:ifname \fI[driver:ifname ...]\fB\fR ]
.SH "OVERVIEW"
.PP
\fBwpa_priv\fR is a privilege separation helper that
minimizes the size of \fBwpa_supplicant\fR code that needs
to be run with root privileges.
.PP
If enabled, privileged operations are done in the wpa_priv process
while leaving rest of the code (e.g., EAP authentication and WPA
handshakes) to operate in an unprivileged process (wpa_supplicant) that
can be run as non-root user. Privilege separation restricts the effects
of potential software errors by containing the majority of the code in an
unprivileged process to avoid the possibility of a full system
compromise.
.PP
\fBwpa_priv\fR needs to be run with network admin
privileges (usually, root user). It opens a UNIX domain socket for each
interface that is included on the command line; any other interface will
be off limits for \fBwpa_supplicant\fR in this kind of
configuration. After this, \fBwpa_supplicant\fR can be run as
a non-root user (e.g., all standard users on a laptop or as a special
non-privileged user account created just for this purpose to limit access
to user files even further).
.SH "EXAMPLE CONFIGURATION"
.PP
The following steps are an example of how to configure
\fBwpa_priv\fR to allow users in the
\fBwpapriv\fR group to communicate with
\fBwpa_supplicant\fR with privilege separation:
.PP
Create user group (e.g., wpapriv) and assign users that
should be able to use wpa_supplicant into that group.
.PP
Create /var/run/wpa_priv directory for UNIX domain sockets and
control user access by setting it accessible only for the wpapriv
group:
.sp
.RS
.nf
mkdir /var/run/wpa_priv
chown root:wpapriv /var/run/wpa_priv
chmod 0750 /var/run/wpa_priv
.fi
.RE
.PP
Start \fBwpa_priv\fR as root (e.g., from system
startup scripts) with the enabled interfaces configured on the
command line:
.sp
.RS
.nf
wpa_priv -B -c /var/run/wpa_priv -P /var/run/wpa_priv.pid wext:wlan0
.fi
.RE
.PP
Run \fBwpa_supplicant\fR as non-root with a user
that is in the wpapriv group:
.sp
.RS
.nf
wpa_supplicant -i ath0 -c wpa_supplicant.conf
.fi
.RE
.SH "COMMAND ARGUMENTS"
.TP
\fB-c ctrl path\fR
Specify the path to wpa_priv control directory
(Default: /var/run/wpa_priv/).
.TP
\fB-B\fR
Run as a daemon in the background.
.TP
\fB-P file\fR
Set the location of the PID
file.
.TP
\fBdriver:ifname [driver:ifname ...]\fR
The string dictates which of the
supported \fBwpa_supplicant\fR driver backends is to be
used. To get a list of supported driver types see wpa_supplicant help
(e.g, wpa_supplicant -h). The driver backend supported by most good
drivers is \fBwext\fR\&.
The string specifies which network
interface is to be managed by \fBwpa_supplicant\fR
(e.g., wlan0 or ath0).
\fBwpa_priv\fR does not use the network interface
before \fBwpa_supplicant\fR is started, so it is fine to
include network interfaces that are not available at the time wpa_priv
is started. wpa_priv can control multiple interfaces with one process,
but it is also possible to run multiple \fBwpa_priv\fR
processes at the same time, if desired.
.SH "SEE ALSO"
.PP
\fBwpa_supplicant\fR(8)
.SH "LEGAL"
.PP
wpa_supplicant is copyright (c) 2003-2022,
Jouni Malinen and
contributors.
All Rights Reserved.
.PP
This program is licensed under the BSD license (the one with
advertisement clause removed).