On Thu, Nov 3, 2022 at 9:36 PM Martintxo <martin...@sindominio.net> wrote: > After several failed test guided by Martin-Éric Racine and driven outside of > this bug report, her ask me to put my working config and changes in the bug > report. So this is how I have wireless conectivity in my ancient laptop, an > Emachines 355 with a CPU Intel Atom at 1,66 Ghz and 1 Gb of RAM > > I am running Debian Testing, and have installed the following packages related > to dhcpcd: > - dhcpcd-base 9.4.1-9 > - dhcpcd-dbus 0.6.1-3 > - dhcpcd-gtk 0.7.8-1 > - dhcpcd5 9.4.1-9 > > For make dhcpcd-gtk work with Debian, I copied the config of the Raspberry Pi > Desktop for PC and Mac that I see in action in my laptop with this live-cd: > https://www.raspberrypi.com/software/raspberry-pi-desktop/ > > I see, later, that this config is compatible with the dhcpcd-gtk manual page. > I > will put excerpts of that man page on this text, bellow. I think that my > config > is compilant with these excerpts, but I not totally sure. > > 1. In /etc/network/interfaces there is not to be anything. The manual page > says > that: "dhcpcd(8) needs to be running in Master mode for dhcpcd-gtk to work > with > it", so it need to be started in the boot process by systemd or init.d, and no > by /etc/network/interfaces. > > 2. The manual page says that: "dhcpcd-gtk relies on wpa_supplicant(8) being > configured to write its sockets to /var/run/wpa_supplicant. If dhcpcd-gtk is > used to select and set pass phrases for wireless networks then update_config=1 > needs to be set in wpa_supplicant.conf." So I put this in > /etc/wpa_supplicant/wpa_supplicant.conf: > ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev > update_config=1 > > 3. I check that wpa_supplicant need to be started by dhcpcd. For this I make > this symbolic link: > $ sudo ln -s /usr/share/dhcpcd/hooks/10-wpa_supplicant > /usr/lib/dhcpcd/dhcpcd-hooks > > 4. The man page says that: "If dhcpcd-gtk is used to make configuration > changes > then the user needs to be able to write to the privileged dhcpcd control > socket > as well as /etc/dhcpcd.conf." For that, I change the permissions of > /etc/dhcpcd.conf to these: rw-rw-r-- root:netdev. I put my normal user in the > netdev group too. So, I run these commands: > $ sudo chown root:netdev /etc/dhcpcd.conf > $ sudo chmod 664 /etc/dhcpcd.conf > $ sudo adduser "myuser" netdev > > 5. As said in my prior email in this bug report, prior to dhcpcd 9.4.1 with > these changes, my setup was working well. But in 9.4.1 dhcpcd is starting at > boot by systemd (prior was by an init script), and this have a "sandboxing" > part that is preventing it from working. So now I need to remove all these > lines > from the systemd unit. For this I made: > - Copy that unit to /etc/systemd/system: > $ sudo cp /lib/systemd/system/dhcpcd.service /etc/systemd/system > - Edit /etc/systemd/system/dhcpcd.service and coment/remove all this lines: > # > # sandboxing > # > ProtectSystem=strict > ReadWritePaths=/var/lib/dhcpcd /run/dhcpcd /etc/resolv.conf > ProtectHome=true > PrivateTmp=true > PrivateDevices=true > ProtectClock=true > ProtectKernelModules=true > ProtectKernelLogs=true > ProtectControlGroups=true > RestrictNamespaces=true > LockPersonality=true > MemoryDenyWriteExecute=true > RestrictRealtime=true > RestrictSUIDSGID=true > SystemCallFilter=@system-service > SystemCallErrorNumber=EPERM > SystemCallArchitectures=native > > Whit this, dhcpcd is starting well in the laptop boot, and later, I start > dhcpcd-gtk with my desktop environment and is working well. I can select a > wireless net, type it's passphrase and the system conects to it... > > That's all for this to work. I made another change, by this is not needed for > all users, I think. I put this line in /etc/dhcpcd.conf for dhcpcd to not to > change my /etc/resolv.conf file: > nohook resolv.conf > But there are some other modes to achieve this, as well, I think... > > Well. So this is the way I work. I understand that it is a very particular > way, > and that it does not have to be useful for everyone. But I think it's the only > way to get dhcpcd-gtk to work well in a Debian desktop environment. > > Many thanks for all your work. Greetings. Martintxo.
Julien Rabier (in CC above) is the one who had contributed the systemd unit hardening. Let's see if he has any solution to the above. Martin-Éric
