Index | Thread | Search

From:
Stuart Henderson <stu@spacehopper.org>
Subject:
Re: ifconfig(8): mention that some config is root-only
To:
obsd@mulh.net
Cc:
tech@openbsd.org
Date:
Thu, 30 Apr 2026 15:31:57 +0100

Download raw body.

Thread 
On 2026/04/30 10:20, obsd@mulh.net wrote:
> On 2026-04-30 13:53:03, Stuart Henderson wrote:
> > On 2026/04/30 20:26, Pontus Stenetorp wrote:
> > > On Thu 30 Apr 2026, Stuart Henderson wrote:
> > > > 
> > > > re https://marc.info/?l=openbsd-misc&m=177751432601667&w=2
> > > > 
> > > > we do have "Detailed peer information is available to the superuser <...>" 
> > > > for wg(4) in ifconfig(8) but no mention of the more general case.
> > > > 
> > > > does this make sense?
> > > > 
> > > > Index: ifconfig.8
> > > > ===================================================================
> > > > RCS file: /cvs/src/sbin/ifconfig/ifconfig.8,v
> > > > diff -u -p -r1.413 ifconfig.8
> > > > --- ifconfig.8	3 Dec 2025 10:19:27 -0000	1.413
> > > > +++ ifconfig.8	30 Apr 2026 09:55:00 -0000
> > > > @@ -68,6 +68,10 @@ If a protocol family is specified,
> > > >  will report only the details specific to that protocol family.
> > > >  If no parameters are provided, a summary of all interfaces is provided.
> > > >  .Pp
> > > > +Some parts of interface configuration, for example private keys or
> > > > +passphrases, are only available to the superuser and are otherwise
> > > > +omitted.
> > > > +.Pp
> > > 
> > > It is the case that all information omitted is sensitive due to security implications, no?
> >
> > Not to my eyes. For wg(4), all peer information is omitted for !root,
> > including pubkeys, descr, bytes tx/rx, last handshake, etc. (And
> > actually wgpsk isn't available, even to root). So I prefer to leave
> > this a bit ambiguous and just suggest that root may see more than
> > !root without going into too many details.
> 
> Isn't this already in ifconfig.8?

Yes but that doesn't cover the _other_, non-wg(4)-related, things that
are restricted


> I do a "man ifconfig" and scroll down to "WIREGUARD".
> Right after the grammar syntax is the text you're suggesting.
> 
> 	WIREGUARD
> 		ifconfig wg-interface [wgkey privatekey] [wgport port] [wgrtable rtable]
> 			[-wgpeerall] [[-]wgpeer publickey [[-]wgdescr[iption] value]
> 			[wgaip allowed-ip_address/prefix] [wgendpoint peer_address port]
> 			[wgpka interval] [wgpsk presharedkey] [-wgpsk]]
> 
> *		Detailed peer information is available to the superuser when ifconfig is
> *		run with the -A flag or when passed specific wg-interface names.
> 
> 		The following options are available for wg(4) interfaces:
>