I'm sorry for wading into this. As with any security related discussion strawpeople can be made to support any particular thread pulling into infinity.
Would I love to see namespaces used as part of the base Openwrt architecture; absolutely. It's been discussed in the past; routing in particular would benefit immensely from this ; use of different routing table ID's is a step towards that, but complications like passing device id's in and out of namespaces however for the switch side of things is problematic and adds additional overhead as will it introduce issues at the expense of separation and flexibility. That potentially could mitigate some of your concerns, but I feel the preposition for me is openwrt is not multi-user by default OOTB for most (if not all) targets; and if you want it to be you can. So fiddling inode bitmasks is not addressing anything IMNSHO because of that fact. On Sat, 18 Apr 2020 at 00:50, Wes Turner <wes.tur...@gmail.com> wrote: > From a least privileges perspective: > > - chmod o-rwx /var/run/hostapd-phyX.conf > - chmod o-x uci # setfacl? > > Compromise of a service running as a different user should not result in > disclosure of sensitive keys only necessary for different services. > > https://openwrt.org/docs/guide-user/security/security-features mentions > procd jail / chroot? > > AFAIU, LXC is not available in the default kernel builds in any router? > LXC would be an additional layer of defenses over and above chroot, which > isn't seccomp > > On Fri, Apr 17, 2020, 5:13 AM Joel Wirāmu Pauling <j...@aenertia.net> > wrote: > >> No. If you have physical access to the node and/or a valid login as Admin >> then any form of PSK is vulnerable. >> >> If you are concerned about PSK's being exposed then you have the option >> to run 802.1x auth and issue issues tokens out of radius/IDM that is >> secured elsewhere than on the AP itself. >> >> On Fri, 17 Apr 2020 at 20:16, e9hack <e9h...@gmail.com> wrote: >> >>> Hi, >>> >>> the configuration files for hostapd (/var/run/hostapd-phyX.conf) are >>> readable for everyone. This means everyone can read the wifi passwords. If >>> a non privileged user calls 'uci show wireless', he will also get all wifi >>> passwords. This possible e.g. for user nobody and dnsmasq. >>> >>> Is this a a security issue? >>> >>> Regards, >>> Hartmut >>> >>> _______________________________________________ >>> openwrt-devel mailing list >>> openwrt-devel@lists.openwrt.org >>> https://lists.openwrt.org/mailman/listinfo/openwrt-devel >>> >> _______________________________________________ >> openwrt-devel mailing list >> openwrt-devel@lists.openwrt.org >> https://lists.openwrt.org/mailman/listinfo/openwrt-devel >> >
_______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel