WPA_Supplicant: Permission Denied

[base9]

Hi all,

It's been a minute since I've been on any of the *BSD's on my main machine so please forgive me if I'm misusing any terminology:

I'm currently running networkmgr 6.1_1 on FreeBSD Release 13.1 and I'm having a permission error with wpa_supplicant when using the gui to connect to an open Wifi Network.

Here's the message given when running networkmgr in a terminal and trying an open Wifi Network:

$networkmgr
service netif status not supported
Traceback (most recent call last):
  File "/usr/local/share/networkmgr/trayicon.py", line 193, in menu_click_lock
    if f'"{ssid_info[0]}"' in open('/etc/wpa_supplicant.conf').read():
PermissionError: [Errno 13] Permission denied: '/etc/wpa_supplicant.conf'

Current groups I'm in:

$ id base9
uid=1001(base9) gid=1001(base9) groups=1001(base9),0(wheel),44(video)

ifconfig:

wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    ether 90:2e:1c:fc:d5:19
    inet 192.168.0.32 netmask 0xffffff00 broadcast 192.168.0.255
    groups: wlan
    ssid MyDarkside channel 153 (5765 MHz 11a) bssid 4c:ab:f8:48:57:59
    regdomain FCC country US authmode WPA2/802.11i privacy ON
    deftxkey UNDEF AES-CCM 2:128-bit AES-CCM 3:128-bit txpower 23 bmiss 10
    mcastrate 6 mgmtrate 6 scanvalid 60 wme roaming MANUAL
    parent interface: iwm0
    media: IEEE 802.11 Wireless Ethernet OFDM/6Mbps mode 11a
    status: associated
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

Currently my doas.conf looks like the following since following some suggestions posted here:

permit keepenv :base9
permit :wheel
permit nopass keepenv :wheel cmd netcardmgr
permit nopass keepenv :wheel cmd ifconfig
permit nopass keepenv :wheel cmd service
permit nopass keepenv :wheel cmd wpa_supplicant

Please let me know if I need to give more information before further diagnosing or if I missed any red flags.

Thank you~

 

[SirDice]

What are the permissions on /etc/wpa_supplicant.conf?

 

[T-Daemon]

Currently my doas.conf looks like the following since following some suggestions posted here:

permit keepenv :base9
permit :wheel
permit nopass keepenv :wheel cmd netcardmgr
permit nopass keepenv :wheel cmd ifconfig
permit nopass keepenv :wheel cmd service
permit nopass keepenv :wheel cmd wpa_supplicant

On installation of package/port net-mgmt/networkmgr a sudoers rules file is dropped as /usr/local/etc/sudoers.d/networkmgr, which grants permission to the networkmgr executable:

%wheel ALL=(ALL) NOPASSWD: /usr/local/bin/networkmgr

In your doas.conf configuration the networkmgr rule is missing.

The sudoers rules file has only the networkmgr executable rule, which suggests only that rule is necessary to grant permission to a unprivileged user (and the wheel group the user must be in) to use the utility.

Try without those other rules.

 

[SirDice]

This more or less implies you're supposed to start it this way: $ sudo networkmgr or in case of doas(1): $ doas networkmgr.

It needs to be run with elevated privileges, because normal users aren't allowed to edit/modify /etc/wpa_supplicant.conf and stop/start/restart the (wireless) network interfaces.

 

[T-Daemon]

base9, I checked the run dependencies of net-mgmt/networkmgr, security/sudo is a dependency:

% make run-depends-list -C /usr/ports/net-mgmt/networkmgr | grep sudo
/usr/ports/security/sudo

Alternatively run pkg info -d networkmgr | grep sudo.

The utility is configured to run out of the box by simply executing networkmgr or set the command in a autostart configuration file (SirDice, just checked on a test system, no preceding sudo command necessary). A doas.conf rule isn't needed at all.

See also /usr/local/etc/xdg/autostart/networkmgr.desktop

Exec=sudo networkmgr

Have you maybe a elevated system security level? What does grep security /etc/sysctl.conf show?

 

[base9]

base9, I checked the run dependencies of net-mgmt/networkmgr, security/sudo is a dependency:

% make run-depends-list -C /usr/ports/net-mgmt/networkmgr | grep sudo
/usr/ports/security/sudo

Alternatively run pkg info -d networkmgr | grep sudo.

The utility is configured to run out of the box by simply executing networkmgr or set the command in a autostart configuration file (SirDice, just checked on a test system, no preceding sudo command necessary). A doas.conf rule isn't needed at all.

See also /usr/local/etc/xdg/autostart/networkmgr.desktop

Exec=sudo networkmgr

Have you maybe a elevated system security level? What does grep security /etc/sysctl.conf show?

Thank you (and everyone else) for your insight. I do remember sudo being a dependency, but since I was trying to move onto doas for escalated privileges on my system, I didn't think to check out how sudo is set up on my machine (default).

I guess the actual question of my post is: how do I safely run networkmgr with escalated privilege on my system while continuing to use doas instead of sudo.

I tried a simple solution of editing the networkmgr.desktop file from

 sudo networkmgr

to

 doas networkmgr

I trimmed my doas.conf to the following after the above suggestions from helpful users here:

permit keepenv :base9
permit :wheel

all to no avail. As for the system security level shows the following:

#security.bsd.see_other_uids=0

I eagerly wait you replies~

 

[chrbr]

Dear base9,
this is not an answer to your question. But it is often better to fix the basic files around something like WLAN instead of using a front end which might lagg behind the basic tools. Especially Linux lists are full of questions like "this manager does not work" and the answer is "try that network manager". It should be better to be capable to fix issues with the files the OS provides. If things work there is nothing wrong using a network manager to switch between WLANs or so in a GUI.

 

[YYY__]

wifimgr() is more rudimentary but integrates well with wpa_supplicant.conf and system security. You should only have the interface identified in rc.conf.

 

[base9]

Dear base9,
this is not an answer to your question. But it is often better to fix the basic files around something like WLAN instead of using a front end which might lagg behind the basic tools. Especially Linux lists are full of questions like "this manager does not work" and the answer is "try that network manager". It should be better to be capable to fix issues with the files the OS provides. If things work there is nothing wrong using a network manager to switch between WLANs or so in a GUI

Agreed. I do believe that the proper *BSD 'solution' in this case is to use the well-documented config files for wpa_supplicant and what not, however, I am determined to find and document my solution here for new users.

 

[T-Daemon]

I trimmed my doas.conf to the following after the above suggestions from helpful users here:

permit keepenv :base9
permit :wheel

Works for me with the only line in /usr/local/etc/doas.conf:

permit nopass keepenv :wheel as root cmd networkmgr

Run doas networkmgr in terminal. Precede doas also when setting networkmgr in a autostart file.