[PATCH] Implement read-only mode for SSIDs

Jouni Malinen j at w1.fi
Tue Nov 29 07:32:16 PST 2022 

On Wed, May 05, 2021 at 03:53:43PM +0200, Maximilian Bosch wrote:
> On NixOS[1] - a Linux distribution which allows to configure a full OS
> declaratively - it's possible to configure SSIDs for `wpa_supplicant`
> like this:
> 
>     networking.wireless.networks = {
>       myssid = {
>         pskRaw = "<redacted>";
>       };
>     };
> 
> It's also possible to add networks "imperatively" using `wpa_gui` or
> `wpa_cli`. However it's not possible to do both because if the first
> option is used, NixOS creates a read-only symlink at
> `/etc/wpa_supplicant.conf` and then it's not possible for
> `wpa_supplicant` anymore to write to it.
> 
> This patch aims to help us changing this: while "declarative" SSID
> configuration can be quite useful, it's a bad idea for e.g. sensitive
> stuff like a WPA2 enterprise network.
> 
> The original idea was to use `-I`[2] for immutable configs (including
> "declarative" networks) on NixOS and `-c /etc/wpa_supplicant.conf` for
> anything "imperative".
> 
> However this doesn't really work out because if a wifi network from a
> config file specified with `-I` is changed by e.g. `wpa_gui`, it's
> silently overwritten in `/etc/wpa_supplicant.conf` (specified with
> `-c`) which is IMHO unintuitive (in our case at least). This patch
> basically declares each network defined in a config file passed via `-I`
> to `wpa_supplicant` as "read-only" and doesn't write these "read-only"
> networks to `/etc/wpa_supplicant.conf`.
> 
> A bit more context can be found on GitHub in the PR where I implemented
> this[3].
> 
> I know that this is a fairly distro-specific thing and has a rather low
> chance to actually land in upstream because of that. However I figured
> that it's still worth a try, especially because `-I` seems to be
> designed for "global" configuration options only and its behavior if
> SSIDs are defined in there doesn't seem explicitly defined to me.

Thanks, applied.
 
-- 
Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list