is there a way to run hostapd as non -root user ?

Jouni Malinen j at w1.fi
Thu Oct 6 03:35:48 PDT 2022


On Mon, Oct 03, 2022 at 04:54:28AM +0000, Branko wrote:
> Running hostapd as a root seems risky.
> I tried tweaking udev so that my WiFI NIC shows up as owned by
> hostapd:hostapd ( and thus be accessiblle to hostapd daemon), but daemon
> refuses to read even its config file as non-root. It keeps falsely
> reporting that it has no permission to read the config file.
> 
> Is there a good way to run hostapd as non-root ?

It should be possible to do this by providing the needed set of Linux
capabilities for the hostapd file, i.e., CAP_NET_ADMIN and CAP_NET_RAW
in most cases. I've mostly tested this with wpa_supplicant (see
wpa_supplicant/README and the "Linux capabilities instead of privileged
process" section), but based on a quick test, this seemed to work with
hostapd as well:

sudo setcap cap_net_raw,cap_net_admin+ep hostapd
./hostapd test.conf


PS.

That comment about not having permission to read the conf file sounds a
bit strange. I don't see that when trying to run hostapd without
sufficient privileges. Instead, I get this:

$ ./hostapd test.conf 
Could not set interface wlan0 flags (UP): Operation not permitted
nl80211: Could not configure driver mode
nl80211: deinit ifname=wlan0 disabled_11b_rates=0
nl80211 driver initialization failed.
wlan0: interface state UNINITIALIZED->DISABLED
wlan0: AP-DISABLED 
wlan0: CTRL-EVENT-TERMINATING 
hostapd_free_hapd_data: Interface wlan0 wasn't started


-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list