None of the above fit all cases. In general a "console user" should not
gain extra privileges automatically and ttyaction does not cut it either.

On the other hand we want typical notebook setups (with single, non-root
user) to work as automatically as possible. Here a console user should
be able to access (some) USB devices, connect to wifi, ....

So we may need a broader solution than just for this socket and add some
rc.conf knob to select classic host vs. extended-console-user-admin-privs
notebook kind of thing.

Martin

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

Keeping in mind that this is to decide the default behaviour for *if*
a user elects to enable wpa_supplicant.

- I think picking wheel as the default group makes sense
- It "just" needs to be documented - in the man page?
- If we add an option to enable wpa_supplicant in sysinst it should
also inform the user of this in the UI

Good change :)

David

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

I know I spoke up before, but I wanted to point out that while I
suggested a wpa_supplicant group, a later suggestion by someone was a
"net" group, with the name not really mattering, but intending that
anyone in the net group could be allowed to change network config of
varying types.

So I am entirely ok with either:

- keep things as you just did (wheel) (your 1)

- add a net_control or some such group and use that (your 2)

The others seem unreasonable (3) and too complicated for inadequate gain
(4, 6).

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

On Feb 4, 3:28pm, Roy Marples wrote:
}
} Moving this discussion onto tech-net.
}
} Summary - I added a default configuration for wpa_supplicant which
} enabled the control socket. With this enabled wpa_supplicant will
} default the group owner to the group owner of the top level directory
} where it resides which is normally wheel. To clarify this, I set the
} socket group to wheel in the default config as well.
}
} This will only affect new installations as existing setups already have
} their own wpa_supplicant.conf(5) and wheel defaults to no members and
} whose only purpose before now was to allow su to root.
}
} Maya pointed out this relaxed the default privs from what we used to
} ship and a conversation then ensued.
} https://mail-index.netbsd.org/source-changes-d/2019/01/12/msg010932.html
}
} mrg was the only out right dissenter of this change:
} https://mail-index.netbsd.org/source-changes-d/2019/01/13/msg010941.html
}
} Greg suggested a wpa_supplicant group:
} https://mail-index.netbsd.org/source-changes-d/2019/01/13/msg010937.html
}
} Although Robert was against this idea:
} https://mail-index.netbsd.org/source-changes-d/2019/01/14/msg010943.html
}
} Jason suggested that using ttyaction(5) could chown the the socket as a
} hackish alternative.
} https://mail-index.netbsd.org/source-changes-d/2019/01/14/msg010948.html
}
} The overall feedback was generally positive, but I would like to guage a
} wider audience, hence now posting this here as the original conversation
} on source-changes-d has now stalled.
}
} Here are the options as I see them:
} 1) Keep things as they are now
} 2) Change the default group
} 3) Turn off the socket
} 4) Add config option to explicity set socket mode
} 6) Change the socket mode to revoke group access and use ttyaction
}
} The last option would also need to introduce a new configuration option
} upstream.

I'm not overly fussy with which way it goes. However, I am
against the idea of using ttyaction as networking configuration
has very little to do with who's logged in.

}-- End of excerpt from Roy Marples

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de