From: obsd@mulh.net Subject: Re: ifconfig(8): mention that some config is root-only To: tech@openbsd.org Date: Thu, 30 Apr 2026 10:20:53 -0400 On 2026-04-30 13:53:03, Stuart Henderson wrote: > On 2026/04/30 20:26, Pontus Stenetorp wrote: > > On Thu 30 Apr 2026, Stuart Henderson wrote: > > > > > > re https://marc.info/?l=openbsd-misc&m=177751432601667&w=2 > > > > > > we do have "Detailed peer information is available to the superuser <...>" > > > for wg(4) in ifconfig(8) but no mention of the more general case. > > > > > > does this make sense? > > > > > > Index: ifconfig.8 > > > =================================================================== > > > RCS file: /cvs/src/sbin/ifconfig/ifconfig.8,v > > > diff -u -p -r1.413 ifconfig.8 > > > --- ifconfig.8 3 Dec 2025 10:19:27 -0000 1.413 > > > +++ ifconfig.8 30 Apr 2026 09:55:00 -0000 > > > @@ -68,6 +68,10 @@ If a protocol family is specified, > > > will report only the details specific to that protocol family. > > > If no parameters are provided, a summary of all interfaces is provided. > > > .Pp > > > +Some parts of interface configuration, for example private keys or > > > +passphrases, are only available to the superuser and are otherwise > > > +omitted. > > > +.Pp > > > > It is the case that all information omitted is sensitive due to security implications, no? > > Not to my eyes. For wg(4), all peer information is omitted for !root, > including pubkeys, descr, bytes tx/rx, last handshake, etc. (And > actually wgpsk isn't available, even to root). So I prefer to leave > this a bit ambiguous and just suggest that root may see more than > !root without going into too many details. Isn't this already in ifconfig.8? I do a "man ifconfig" and scroll down to "WIREGUARD". Right after the grammar syntax is the text you're suggesting. WIREGUARD ifconfig wg-interface [wgkey privatekey] [wgport port] [wgrtable rtable] [-wgpeerall] [[-]wgpeer publickey [[-]wgdescr[iption] value] [wgaip allowed-ip_address/prefix] [wgendpoint peer_address port] [wgpka interval] [wgpsk presharedkey] [-wgpsk]] * Detailed peer information is available to the superuser when ifconfig is * run with the -A flag or when passed specific wg-interface names. The following options are available for wg(4) interfaces: