Re: iwd + systemd-networkd + resolvconf wrinkles
On Thu 17 Mar 2022 at 14:50:06 (+0000), Brian wrote:
> On Sun 13 Mar 2022 at 20:04:06 -0500, David Wright wrote:
>
> [...]
>
> > By the end of all this, the link should be working, and a file
> > like this will have been written (that only root can see):
> >
> > # cat /var/lib/iwd/YourSSID.psk
> > [Security]
> > PreSharedKey=abdcef0123456789…abdcef0123456789…abdcef0123456789
> > Passphrase=yoursecretpassphrase
> > #
>
> However, brian (who is not in the netdev group) can do
>
> iwctl known-networks YourSSID forget
>
> and /var/lib/iwd/YourSSID.psk is deleted.
>
> This user can also successfully execute
>
> iwctl station wlan0 connect YourSSID
>
> to bring about association with a WAP. Neither should be possible.
I have /read/ that security is handled through D-Bus, but I haven't
followed this up because the above doesn't present a problem here.
For example, /etc/dbus-1/system.d/org.freedesktop.ModemManager1.conf
seems to be aimed at controlling a modem, where a user might otherwise
be able to spend real money at someone else's expense. I guess Debian
might provide something like that.
I /imagine/ that such a facility could be quite fine-grained, unlike
plain netdev permissions. For example, allowing "connect"ions like the
above, but only to pre-defined SSIDs, and disallowing reconfigurations
like the "forget" above.
Then an /etc/default/iwd might define the privileged usernames for
each operation, or point to a file defining such.
Cheers,
David.
Reply to: