# WPA_Supplicant: Permission Denied



## base9 (Sep 27, 2022)

Hi all,

It's been a minute since I've been on any of the *BSD's on my main machine so please forgive me if I'm misusing any terminology:

I'm currently running networkmgr 6.1_1 on FreeBSD Release 13.1 and I'm having a permission error with wpa_supplicant when using the gui to connect to an open Wifi Network. 

Here's the message given when running networkmgr in a terminal and trying an open Wifi Network:


```
$networkmgr
service netif status not supported
Traceback (most recent call last):
  File "/usr/local/share/networkmgr/trayicon.py", line 193, in menu_click_lock
    if f'"{ssid_info[0]}"' in open('/etc/wpa_supplicant.conf').read():
PermissionError: [Errno 13] Permission denied: '/etc/wpa_supplicant.conf'
```

Current groups I'm in:

```
$ id base9
uid=1001(base9) gid=1001(base9) groups=1001(base9),0(wheel),44(video)
```

ifconfig: 


```
wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    ether 90:2e:1c:fc:d5:19
    inet 192.168.0.32 netmask 0xffffff00 broadcast 192.168.0.255
    groups: wlan
    ssid MyDarkside channel 153 (5765 MHz 11a) bssid 4c:ab:f8:48:57:59
    regdomain FCC country US authmode WPA2/802.11i privacy ON
    deftxkey UNDEF AES-CCM 2:128-bit AES-CCM 3:128-bit txpower 23 bmiss 10
    mcastrate 6 mgmtrate 6 scanvalid 60 wme roaming MANUAL
    parent interface: iwm0
    media: IEEE 802.11 Wireless Ethernet OFDM/6Mbps mode 11a
    status: associated
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
```

Currently my doas.conf looks like the following since following some suggestions posted here:

```
permit keepenv :base9
permit :wheel
permit nopass keepenv :wheel cmd netcardmgr
permit nopass keepenv :wheel cmd ifconfig
permit nopass keepenv :wheel cmd service
permit nopass keepenv :wheel cmd wpa_supplicant
```

Please let me know if I need to give more information before further diagnosing or if I missed any red flags.

Thank you~


----------



## SirDice (Sep 27, 2022)

What are the permissions on /etc/wpa_supplicant.conf?


----------



## T-Daemon (Sep 27, 2022)

base9 said:


> Currently my doas.conf looks like the following since following some suggestions posted here:
> 
> ```
> permit keepenv :base9
> ...



On installation of package/port net-mgmt/networkmgr a sudoers rules file is dropped  as /usr/local/etc/sudoers.d/networkmgr, which grants permission to the networkmgr executable:

```
%wheel ALL=(ALL) NOPASSWD: /usr/local/bin/networkmgr
```

In your doas.conf configuration the `networkmgr` rule is missing.

The sudoers rules file has only the networkmgr executable rule, which suggests only that rule is necessary to grant permission to a unprivileged user (and the wheel group the user must be in) to use the utility.

Try without those other rules.


----------



## SirDice (Sep 27, 2022)

This more or less implies you're supposed to start it this way: `$ sudo networkmgr` or in case of doas(1): `$ doas networkmgr`.

It needs to be run with elevated privileges, because normal users aren't allowed to edit/modify /etc/wpa_supplicant.conf and stop/start/restart the (wireless) network interfaces.


----------



## T-Daemon (Sep 27, 2022)

base9, I checked the run dependencies of `net-mgmt/networkmgr`,  security/sudo is a dependency:

```
% make run-depends-list -C /usr/ports/net-mgmt/networkmgr | grep sudo
/usr/ports/security/sudo
```
Alternatively run `pkg info -d networkmgr | grep sudo`.

The utility is configured to run out of the box by simply executing `networkmgr` or set the command in a autostart configuration file (SirDice, just checked on a test system, no preceding `sudo` command necessary). A doas.conf rule isn't needed at all.

See also /usr/local/etc/xdg/autostart/networkmgr.desktop

```
Exec=sudo networkmgr
```

Have you maybe a elevated system security level? What does `grep security /etc/sysctl.conf` show?


----------



## base9 (Sep 28, 2022)

T-Daemon said:


> base9, I checked the run dependencies of `net-mgmt/networkmgr`,  security/sudo is a dependency:
> 
> ```
> % make run-depends-list -C /usr/ports/net-mgmt/networkmgr | grep sudo
> ...


Thank you (and everyone else) for your insight. I do remember sudo being a dependency, but since I was trying to move onto doas for escalated privileges on my system, I didn't think to check out how sudo is set up on my machine (default).

I guess the actual question of my post is: how do I safely run networkmgr with escalated privilege on my system while continuing to use doas instead of sudo. 

I tried a simple solution of editing the networkmgr.desktop file from 

```
sudo networkmgr
```
to

```
doas networkmgr
```

I trimmed my doas.conf to the following after the above suggestions from helpful users here:

```
permit keepenv :base9
permit :wheel
```

all to no avail. As for the system security level shows the following:

```
#security.bsd.see_other_uids=0
```

I eagerly wait you replies~


----------



## chrbr (Sep 28, 2022)

Dear base9,
this is not an answer to your question. But it is often better to fix the basic files around something like WLAN instead of using a front end which might lagg behind the basic tools. Especially Linux lists are full of questions like "this manager does not work" and the answer is "try that network manager". It should be better to be capable to fix issues with the files the OS provides. If things work there is nothing wrong using a network manager to switch between WLANs or so in a GUI.


----------



## CuatroTorres (Sep 28, 2022)

wifimgr() is more rudimentary but integrates well with wpa_supplicant.conf and system security. You should only have the interface identified in rc.conf.


----------



## base9 (Sep 28, 2022)

chrbr said:


> Dear base9,
> this is not an answer to your question. But it is often better to fix the basic files around something like WLAN instead of using a front end which might lagg behind the basic tools. Especially Linux lists are full of questions like "this manager does not work" and the answer is "try that network manager". It should be better to be capable to fix issues with the files the OS provides. If things work there is nothing wrong using a network manager to switch between WLANs or so in a GUI


Agreed. I do believe that the proper *BSD 'solution' in this case is to use the well-documented config files for wpa_supplicant and what not, however, I am determined to find and document my solution here for new users.


----------



## T-Daemon (Sep 29, 2022)

base9 said:


> I trimmed my doas.conf to the following after the above suggestions from helpful users here:
> 
> ```
> permit keepenv :base9
> ...



Works for me with the only line in /usr/local/etc/doas.conf:

```
permit nopass keepenv :wheel as root cmd networkmgr
```

Run `doas networkmgr` in terminal. Precede `doas` also when setting `networkmgr` in a autostart file.


----------

