diff options
author | Daniel Golle <daniel@makrotopia.org> | 2021-01-10 19:12:05 +0000 |
---|---|---|
committer | Daniel Golle <daniel@makrotopia.org> | 2021-01-14 00:52:50 +0000 |
commit | 1f785383875ab0abdeda0c71907c2c95ef76cca6 (patch) | |
tree | 48b07a54349390cfaa91e48ed860b3e2b9061e31 /package/network/services/hostapd/files | |
parent | d9d698843469ee24de01fbb498bd8690d69b8b61 (diff) | |
download | upstream-1f785383875ab0abdeda0c71907c2c95ef76cca6.tar.gz upstream-1f785383875ab0abdeda0c71907c2c95ef76cca6.tar.bz2 upstream-1f785383875ab0abdeda0c71907c2c95ef76cca6.zip |
hostapd: run as user 'network' if procd-ujail is installed
Granting capabilities CAP_NET_ADMIN and CAP_NET_RAW allows running
hostapd and wpa_supplicant without root priviledges.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Diffstat (limited to 'package/network/services/hostapd/files')
-rw-r--r-- | package/network/services/hostapd/files/wpad.init | 16 | ||||
-rw-r--r-- | package/network/services/hostapd/files/wpad.json | 22 | ||||
-rw-r--r-- | package/network/services/hostapd/files/wpad_acl.json | 10 |
3 files changed, 48 insertions, 0 deletions
diff --git a/package/network/services/hostapd/files/wpad.init b/package/network/services/hostapd/files/wpad.init index 8471796774..79c5bf1075 100644 --- a/package/network/services/hostapd/files/wpad.init +++ b/package/network/services/hostapd/files/wpad.init @@ -9,17 +9,33 @@ NAME=wpad start_service() { if [ -x "/usr/sbin/hostapd" ]; then mkdir -p /var/run/hostapd + chown network:network /var/run/hostapd procd_open_instance hostapd procd_set_param command /usr/sbin/hostapd -s -g /var/run/hostapd/global procd_set_param respawn 3600 1 0 + [ -x /sbin/ujail -a -e /etc/capabilities/wpad.json ] && { + procd_add_jail hostapd + procd_set_param capabilities /etc/capabilities/wpad.json + procd_set_param user network + procd_set_param group network + procd_set_param no_new_privs 1 + } procd_close_instance fi if [ -x "/usr/sbin/wpa_supplicant" ]; then mkdir -p /var/run/wpa_supplicant + chown network:network /var/run/wpa_supplicant procd_open_instance supplicant procd_set_param command /usr/sbin/wpa_supplicant -n -s -g /var/run/wpa_supplicant/global procd_set_param respawn 3600 1 0 + [ -x /sbin/ujail -a -e /etc/capabilities/wpad.json ] && { + procd_add_jail wpa_supplicant + procd_set_param capabilities /etc/capabilities/wpad.json + procd_set_param user network + procd_set_param group network + procd_set_param no_new_privs 1 + } procd_close_instance fi } diff --git a/package/network/services/hostapd/files/wpad.json b/package/network/services/hostapd/files/wpad.json new file mode 100644 index 0000000000..c73f3d98bd --- /dev/null +++ b/package/network/services/hostapd/files/wpad.json @@ -0,0 +1,22 @@ +{ + "bounding": [ + "CAP_NET_ADMIN", + "CAP_NET_RAW" + ], + "effective": [ + "CAP_NET_ADMIN", + "CAP_NET_RAW" + ], + "ambient": [ + "CAP_NET_ADMIN", + "CAP_NET_RAW" + ], + "permitted": [ + "CAP_NET_ADMIN", + "CAP_NET_RAW" + ], + "inheritable": [ + "CAP_NET_ADMIN", + "CAP_NET_RAW" + ] +} diff --git a/package/network/services/hostapd/files/wpad_acl.json b/package/network/services/hostapd/files/wpad_acl.json new file mode 100644 index 0000000000..c77ccd8ea0 --- /dev/null +++ b/package/network/services/hostapd/files/wpad_acl.json @@ -0,0 +1,10 @@ +{ + "user": "network", + "access": { + "service": { + "methods": [ "event" ] + } + }, + "publish": [ "hostapd", "hostapd.*", "wpa_supplicant", "wpa_supplicant.*" ], + "send": [ "bss.*", "wps_credentials" ] +} |