Security Issue: How secure is sending confidential credentials via wpa_cli type interface?
bryan at kadzban.is-a-geek.net
Sat Aug 5 12:46:51 EDT 2006
Jouni Malinen wrote:
> Would you happen to have any useful examples of SDDL strings for this
> kind of use?
I don't have any, but I can come up with a few, see below.
> The format for setting SDDL string is as follows (with the silly deny
> everyone example):
OK, how about this (local admins group has permission, but nobody else):
("A" == "access allowed", "GA" == GENERIC_ALL == all permissions, and
"BA" == "builtin administrators" == the local admins. The empty fields
are for flags and object GUIDs, none of which should be required in this
Or this (local admins and the local "power users" group have
permissions, but nobody else):
(One ACCESS_ALLOWED ACE for GENERIC_ALL for builtin administrators, and
one ACCESS_ALLOWED ACE for GENERIC_ALL for power users.)
Or lastly, this (close to wide open, but you have to be a valid user on
(One ACCESS_ALLOWED ACE for GENERIC_ALL for the "authenticated users"
Finally, this one would allow absolutely everyone (including anonymous
users) -- this is *not* recommended, since named pipes can be attached
to from anywhere on the network (i.e. there's no "this machine only"
like there is with 127.0.0.1 sockets):
(BU == "builtin users", "AN" == "anonymous")
See also  for the format of ACEs, and  for the possible strings
that can be used for principal names.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 258 bytes
Desc: OpenPGP digital signature
Url : http://lists.shmoo.com/pipermail/hostap/attachments/20060805/207004e3/attachment.pgp
More information about the HostAP