On Tue, Feb 7, 2023 at 8:07 PM Pásztor János <pasztor.ja...@it.ppke.hu> wrote: > Now that explains why wpa_supplicant can communicate over its socket > and says that the file is not found. I think with that we have reached > a conclusion. Without a major refactor in both wpa_supplicant and > dhcpcd this will not work. > > Our options are the following I think: > > a.) leave out Privatetmp from the unit file > > b.) leave in Privatetmp from the unit file and document down that one > has to start wpa_supplicant via different means, e.g.: as a separate > systemd unit
I'll just leave out PrivateTmp for now. If anyone ever figures out a non-disruptive way to reintroduce it, we can return to that later. > In the end we have managed to keep much of the hardening in place, > which is a good this as dhcpcd is a bunch of C code which parses > untrusted input from the network, and I am graceful for the extra > safety net what systemd provides. Yes, we have still retained most of the hardening. We didn't even have any in 7.1.0, so that's already an improvement over what's in stable and oldstable. Major thanks for putting in the time to debug this! Martin-Éric
