https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200185
Kyle Evans <kev...@freebsd.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |rwat...@freebsd.org
--- Comment #2 from Kyle Evans <kev...@freebsd.org> ---
CC'ing rwatson@- PRIV_NET_TAP is allocated and also used for allowing opening
of tap devices, because this is historically a superuser-only privilege. It was
added after the user_open sysctl and we currently honor PRIV_NET_TAP xor
user_open; it seems like PRIV_NET_TAP should've pushed user_open towards
deprecation in favor of MAC policy to more cleanly do the same thing.
I'm not sure now what the correct behavior is- your point about groups is good,
but do we want to (also, can we?) do away with PRIV_NET_TAP in favor of relying
on group membership?
> Also, I doubt that PRIV_NET_IFCREATE even works properly, because I wasn't
> able to clone /dev/tapN even when my user is in wheel and network groups, and
> /dev is owned by root:wheel and has 0777 mask. I still got 'Permission
> denied'.
Basically all PRIV_* are only granted to root by default without a policy to
grant them otherwise, so this is correct behavior.
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
