From: Stuart Henderson Subject: Re: ifconfig(8): mention that some config is root-only To: obsd@mulh.net Cc: tech@openbsd.org Date: Thu, 30 Apr 2026 15:31:57 +0100 On 2026/04/30 10:20, obsd@mulh.net wrote: > On 2026-04-30 13:53:03, Stuart Henderson wrote: > > On 2026/04/30 20:26, Pontus Stenetorp wrote: > > > On Thu 30 Apr 2026, Stuart Henderson wrote: > > > > > > > > re https://marc.info/?l=openbsd-misc&m=177751432601667&w=2 > > > > > > > > we do have "Detailed peer information is available to the superuser <...>" > > > > for wg(4) in ifconfig(8) but no mention of the more general case. > > > > > > > > does this make sense? > > > > > > > > Index: ifconfig.8 > > > > =================================================================== > > > > RCS file: /cvs/src/sbin/ifconfig/ifconfig.8,v > > > > diff -u -p -r1.413 ifconfig.8 > > > > --- ifconfig.8 3 Dec 2025 10:19:27 -0000 1.413 > > > > +++ ifconfig.8 30 Apr 2026 09:55:00 -0000 > > > > @@ -68,6 +68,10 @@ If a protocol family is specified, > > > > will report only the details specific to that protocol family. > > > > If no parameters are provided, a summary of all interfaces is provided. > > > > .Pp > > > > +Some parts of interface configuration, for example private keys or > > > > +passphrases, are only available to the superuser and are otherwise > > > > +omitted. > > > > +.Pp > > > > > > It is the case that all information omitted is sensitive due to security implications, no? > > > > Not to my eyes. For wg(4), all peer information is omitted for !root, > > including pubkeys, descr, bytes tx/rx, last handshake, etc. (And > > actually wgpsk isn't available, even to root). So I prefer to leave > > this a bit ambiguous and just suggest that root may see more than > > !root without going into too many details. > > Isn't this already in ifconfig.8? Yes but that doesn't cover the _other_, non-wg(4)-related, things that are restricted > I do a "man ifconfig" and scroll down to "WIREGUARD". > Right after the grammar syntax is the text you're suggesting. > > WIREGUARD > ifconfig wg-interface [wgkey privatekey] [wgport port] [wgrtable rtable] > [-wgpeerall] [[-]wgpeer publickey [[-]wgdescr[iption] value] > [wgaip allowed-ip_address/prefix] [wgendpoint peer_address port] > [wgpka interval] [wgpsk presharedkey] [-wgpsk]] > > * Detailed peer information is available to the superuser when ifconfig is > * run with the -A flag or when passed specific wg-interface names. > > The following options are available for wg(4) interfaces: >