On Thursday 10 August 2006 04:17, Reinhard Tartler wrote: > Christoph Biedl <[EMAIL PROTECTED]> writes: > > If you agree: > > * In postinst: Check whether /e/n/i permissions are 660 or tighter and > > offer to fix them if required. > > I don't really agree here, as I don't see the necessity to bug the > user with an additional question. Instead, we should answer the > question for the user. > > Unfortunately, /e/n/i is not the business of wpasupplicant, but of > ifupdown.
Agreed. I don't think wpasupplicant's maintainer scripts are a suitable place to provide this information to the end user. However, this is exactly the kind of advice that should be in our end user docmentation; README.modes. A dedicated paragraph discussing security considerations and best practice with respect to wpa_supplicant would be an excellent addition. > > > * If wpasupplicant reads credentials from /e/n/i and finds loose > > permissions: Print a warning message on the console or at least via > > syslog. > > We could implement such a check in ifupdown.sh, but I don't think its > worth the trouble. > > Kel, how do you think? If this is well documented in README.modes, is there any compelling reason to enforce this in code form too? I can visualise many different permutations of wpa-* options used by many different people; there is much flexibility. I would not like to volunteer to support such stringent sanity checking code unless totally convinced it is worth it. Printing to syslog about this would be of no benefit, imho. Our scripts currently do not do it, and I personally would not be aware to look through syslog for tips about ifupdown. Thanks, Kel. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]