How do i block /etc/wpa_supplicant/wpa_supplicant.conf from non root users but still allow all users to connect to that ssid? For example if I have a hidden network called xyz with password 1234secure. I connect to that ssid from the admin account. After i logout, i want the demo user called demo to be able to login and connect to that access point without being able to vi /etc/wpa_supplicant/wpa_supplicant.conf to see the password. Right now creating a new user that is not in the sudoers group can view that file because by default it is rw,r,r. If i change it to rw,-,- i don't know how the system will read it.
Asked
Active
Viewed 1,296 times
0
jtlindsey
- 105
- 5
2 Answers
1
Awhile ago, I downloaded a clean version of Buster (with desktop) for ethernet connection and can see the following:
I had added ssh to /boot and booted up directly on the hardwired network - this does give Pi access to wpa_supplicant.conf as it has the rights:
-rw-r--r-- 1 root root 83 Dec 27 16:44 /etc/wpa_supplicant/wpa_supplicant.conf
BUT it obviously does not contain any WiFi details at this point.
Trying to create a wpa_supplicant using nano /boot/wpa_supplicant.conf returns Error writing /boot/wpa_supplicant.conf: Permission denied when trying to save the file as /boot has the drwxr-xr-x permission.
Using sudo nano /boot/wpa_supplicant.conf creates the file as
-rwxr-xr-x 1 root root 151 Mar 5 13:51 /boot/wpa_supplicant.conf
Doing a reboot connects to my WiFi and Ethernet networks and the O/S start up moves the file out of /boot to /etc/wpa_supplicant and the resulting file in is secure:
-rw------- 1 root root 151 Mar 5 13:51 /etc/wpa_supplicant/wpa_supplicant.conf
So it looks like on the standard version issued by RPF, the security settings are set fine. What I should have done is spend a bit of time hunting around as it seems that this is handled by the raspberrypi-net-mods.service (as of this post) and this contains:
[Unit]
Description=Copy user wpa_supplicant.conf
ConditionPathExists=/boot/wpa_supplicant.conf
Before=dhcpcd.service
After=systemd-rfkill.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/mv /boot/wpa_supplicant.conf /etc/wpa_supplicant/wpa_supplicant.conf
ExecStartPost=/bin/chmod 600 /etc/wpa_supplicant/wpa_supplicant.conf
ExecStartPost=/usr/sbin/rfkill unblock wifi
[Install]
WantedBy=multi-user.target
Note the chmod after the move. This will stop none root users from accessing the network (assuming you do not give sudo rights to any editors) and by default /boot is set to stop limited users adding new network info.
0
The default permissions are:-
-rw------- 1 root root 1055 2021-03-05 11:14 /etc/wpa_supplicant/wpa_supplicant.conf
There is no problem unless you (or some program) fiddled with it.
Milliways
- 59,890
- 31
- 101
- 209
-
i'm not sure why mine is different. It's a fresh install with no additional packages added. Reading Andrews comment i wonder if that file's permissions starts out
rw,r,rduring the initial install and is changed the next time the wifi is modified. I don't have any other ideas other than the sd card with pi preinstalled might not be authentic. – jtlindsey Mar 05 '21 at 06:55 -
@learnsomemore I doubt the "file's permissions starts out rw,r,r" - it never has in my experience. I haven't used this in years - I put my
wpa_supplicant.confwhich is copied on boot and the correct permission set. I usewpa_passphraseso even root can't read the password. – Milliways Mar 05 '21 at 07:29
cat /etc/wpa_supplicant/wpa_supplicant.confas Pi returns Permission denied – Mar 05 '21 at 03:30vi /etc/wpa_supplicant/wpa_supplicant.confopens up for the other user and permissions arerw,r,r. The data in there is what was setup during initial install wizard. – jtlindsey Mar 05 '21 at 06:52