On Thu 17 Mar 2022 at 14:50:06 (+0000), Brian wrote: > On Sun 13 Mar 2022 at 20:04:06 -0500, David Wright wrote: > > [...] > > > By the end of all this, the link should be working, and a file > > like this will have been written (that only root can see): > > > > # cat /var/lib/iwd/YourSSID.psk > > [Security] > > PreSharedKey=abdcef0123456789…abdcef0123456789…abdcef0123456789 > > Passphrase=yoursecretpassphrase > > # > > However, brian (who is not in the netdev group) can do > > iwctl known-networks YourSSID forget > > and /var/lib/iwd/YourSSID.psk is deleted. > > This user can also successfully execute > > iwctl station wlan0 connect YourSSID > > to bring about association with a WAP. Neither should be possible.
I have /read/ that security is handled through D-Bus, but I haven't followed this up because the above doesn't present a problem here. For example, /etc/dbus-1/system.d/org.freedesktop.ModemManager1.conf seems to be aimed at controlling a modem, where a user might otherwise be able to spend real money at someone else's expense. I guess Debian might provide something like that. I /imagine/ that such a facility could be quite fine-grained, unlike plain netdev permissions. For example, allowing "connect"ions like the above, but only to pre-defined SSIDs, and disallowing reconfigurations like the "forget" above. Then an /etc/default/iwd might define the privileged usernames for each operation, or point to a file defining such. Cheers, David.
