mirror of
git://git.openwrt.org/openwrt/openwrt.git
synced 2024-12-11 17:34:57 +00:00
hostapd: run as user 'network' if procd-ujail is installed
Granting capabilities CAP_NET_ADMIN and CAP_NET_RAW allows running hostapd and wpa_supplicant without root priviledges. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This commit is contained in:
parent
d9d6988434
commit
1f78538387
@ -7,7 +7,7 @@
|
||||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=hostapd
|
||||
PKG_RELEASE:=25
|
||||
PKG_RELEASE:=26
|
||||
|
||||
PKG_SOURCE_URL:=http://w1.fi/hostap.git
|
||||
PKG_SOURCE_PROTO:=git
|
||||
@ -145,6 +145,7 @@ define Package/hostapd/Default
|
||||
TITLE:=IEEE 802.1x Authenticator
|
||||
URL:=http://hostap.epitest.fi/
|
||||
DEPENDS:=$(DRV_DEPENDS) +hostapd-common +libubus
|
||||
USERID:=network=101:network=101
|
||||
PROVIDES:=hostapd
|
||||
CONFLICTS:=$(HOSTAPD_PROVIDERS)
|
||||
HOSTAPD_PROVIDERS+=$(1)
|
||||
@ -228,6 +229,7 @@ define Package/wpad/Default
|
||||
SUBMENU:=WirelessAPD
|
||||
TITLE:=IEEE 802.1x Auth/Supplicant
|
||||
DEPENDS:=$(DRV_DEPENDS) +hostapd-common +libubus
|
||||
USERID:=network=101:network=101
|
||||
URL:=http://hostap.epitest.fi/
|
||||
PROVIDES:=hostapd wpa-supplicant
|
||||
CONFLICTS:=$(HOSTAPD_PROVIDERS) $(SUPPLICANT_PROVIDERS)
|
||||
@ -342,6 +344,7 @@ define Package/wpa-supplicant/Default
|
||||
TITLE:=WPA Supplicant
|
||||
URL:=http://hostap.epitest.fi/wpa_supplicant/
|
||||
DEPENDS:=$(DRV_DEPENDS) +hostapd-common +libubus
|
||||
USERID:=network=101:network=101
|
||||
PROVIDES:=wpa-supplicant
|
||||
CONFLICTS:=$(SUPPLICANT_PROVIDERS)
|
||||
SUPPLICANT_PROVIDERS+=$(1)
|
||||
@ -593,10 +596,12 @@ define Install/supplicant
|
||||
endef
|
||||
|
||||
define Package/hostapd-common/install
|
||||
$(INSTALL_DIR) $(1)/lib/netifd $(1)/etc/rc.button $(1)/etc/hotplug.d/ieee80211 $(1)/etc/init.d
|
||||
$(INSTALL_DIR) $(1)/etc/capabilities $(1)/etc/rc.button $(1)/etc/hotplug.d/ieee80211 $(1)/etc/init.d $(1)/lib/netifd $(1)/usr/share/acl.d
|
||||
$(INSTALL_DATA) ./files/hostapd.sh $(1)/lib/netifd/hostapd.sh
|
||||
$(INSTALL_BIN) ./files/wpad.init $(1)/etc/init.d/wpad
|
||||
$(INSTALL_BIN) ./files/wps-hotplug.sh $(1)/etc/rc.button/wps
|
||||
$(INSTALL_DATA) ./files/wpad_acl.json $(1)/usr/share/acl.d
|
||||
$(INSTALL_DATA) ./files/wpad.json $(1)/etc/capabilities
|
||||
endef
|
||||
|
||||
define Package/hostapd/install
|
||||
|
@ -9,17 +9,33 @@ NAME=wpad
|
||||
start_service() {
|
||||
if [ -x "/usr/sbin/hostapd" ]; then
|
||||
mkdir -p /var/run/hostapd
|
||||
chown network:network /var/run/hostapd
|
||||
procd_open_instance hostapd
|
||||
procd_set_param command /usr/sbin/hostapd -s -g /var/run/hostapd/global
|
||||
procd_set_param respawn 3600 1 0
|
||||
[ -x /sbin/ujail -a -e /etc/capabilities/wpad.json ] && {
|
||||
procd_add_jail hostapd
|
||||
procd_set_param capabilities /etc/capabilities/wpad.json
|
||||
procd_set_param user network
|
||||
procd_set_param group network
|
||||
procd_set_param no_new_privs 1
|
||||
}
|
||||
procd_close_instance
|
||||
fi
|
||||
|
||||
if [ -x "/usr/sbin/wpa_supplicant" ]; then
|
||||
mkdir -p /var/run/wpa_supplicant
|
||||
chown network:network /var/run/wpa_supplicant
|
||||
procd_open_instance supplicant
|
||||
procd_set_param command /usr/sbin/wpa_supplicant -n -s -g /var/run/wpa_supplicant/global
|
||||
procd_set_param respawn 3600 1 0
|
||||
[ -x /sbin/ujail -a -e /etc/capabilities/wpad.json ] && {
|
||||
procd_add_jail wpa_supplicant
|
||||
procd_set_param capabilities /etc/capabilities/wpad.json
|
||||
procd_set_param user network
|
||||
procd_set_param group network
|
||||
procd_set_param no_new_privs 1
|
||||
}
|
||||
procd_close_instance
|
||||
fi
|
||||
}
|
||||
|
22
package/network/services/hostapd/files/wpad.json
Normal file
22
package/network/services/hostapd/files/wpad.json
Normal file
@ -0,0 +1,22 @@
|
||||
{
|
||||
"bounding": [
|
||||
"CAP_NET_ADMIN",
|
||||
"CAP_NET_RAW"
|
||||
],
|
||||
"effective": [
|
||||
"CAP_NET_ADMIN",
|
||||
"CAP_NET_RAW"
|
||||
],
|
||||
"ambient": [
|
||||
"CAP_NET_ADMIN",
|
||||
"CAP_NET_RAW"
|
||||
],
|
||||
"permitted": [
|
||||
"CAP_NET_ADMIN",
|
||||
"CAP_NET_RAW"
|
||||
],
|
||||
"inheritable": [
|
||||
"CAP_NET_ADMIN",
|
||||
"CAP_NET_RAW"
|
||||
]
|
||||
}
|
10
package/network/services/hostapd/files/wpad_acl.json
Normal file
10
package/network/services/hostapd/files/wpad_acl.json
Normal file
@ -0,0 +1,10 @@
|
||||
{
|
||||
"user": "network",
|
||||
"access": {
|
||||
"service": {
|
||||
"methods": [ "event" ]
|
||||
}
|
||||
},
|
||||
"publish": [ "hostapd", "hostapd.*", "wpa_supplicant", "wpa_supplicant.*" ],
|
||||
"send": [ "bss.*", "wps_credentials" ]
|
||||
}
|
Loading…
Reference in New Issue
Block a user