Index | Thread | Search

From:
obsd@mulh.net
Subject:
Re: ifconfig(8): mention that some config is root-only
To:
tech@openbsd.org
Date:
Thu, 30 Apr 2026 10:20:53 -0400

Download raw body.

Thread 
On 2026-04-30 13:53:03, Stuart Henderson wrote:
> On 2026/04/30 20:26, Pontus Stenetorp wrote:
> > On Thu 30 Apr 2026, Stuart Henderson wrote:
> > > 
> > > re https://marc.info/?l=openbsd-misc&m=177751432601667&w=2
> > > 
> > > we do have "Detailed peer information is available to the superuser <...>" 
> > > for wg(4) in ifconfig(8) but no mention of the more general case.
> > > 
> > > does this make sense?
> > > 
> > > Index: ifconfig.8
> > > ===================================================================
> > > RCS file: /cvs/src/sbin/ifconfig/ifconfig.8,v
> > > diff -u -p -r1.413 ifconfig.8
> > > --- ifconfig.8	3 Dec 2025 10:19:27 -0000	1.413
> > > +++ ifconfig.8	30 Apr 2026 09:55:00 -0000
> > > @@ -68,6 +68,10 @@ If a protocol family is specified,
> > >  will report only the details specific to that protocol family.
> > >  If no parameters are provided, a summary of all interfaces is provided.
> > >  .Pp
> > > +Some parts of interface configuration, for example private keys or
> > > +passphrases, are only available to the superuser and are otherwise
> > > +omitted.
> > > +.Pp
> > 
> > It is the case that all information omitted is sensitive due to security implications, no?
>
> Not to my eyes. For wg(4), all peer information is omitted for !root,
> including pubkeys, descr, bytes tx/rx, last handshake, etc. (And
> actually wgpsk isn't available, even to root). So I prefer to leave
> this a bit ambiguous and just suggest that root may see more than
> !root without going into too many details.

Isn't this already in ifconfig.8?

I do a "man ifconfig" and scroll down to "WIREGUARD".
Right after the grammar syntax is the text you're suggesting.

	WIREGUARD
		ifconfig wg-interface [wgkey privatekey] [wgport port] [wgrtable rtable]
			[-wgpeerall] [[-]wgpeer publickey [[-]wgdescr[iption] value]
			[wgaip allowed-ip_address/prefix] [wgendpoint peer_address port]
			[wgpka interval] [wgpsk presharedkey] [-wgpsk]]

*		Detailed peer information is available to the superuser when ifconfig is
*		run with the -A flag or when passed specific wg-interface names.

		The following options are available for wg(4) interfaces: