Re: [Bugme-new] [Bug 7362] New: tun/tap device needs root permission for TUNSETIFF ioctl

Fri, 13 Oct 2006 14:47:23 -0700 

On Fri, 13 Oct 2006 14:22:48 -0700
[EMAIL PROTECTED] wrote:

> http://bugzilla.kernel.org/show_bug.cgi?id=7362
> 
>            Summary: tun/tap device needs root permission for TUNSETIFF ioctl
>     Kernel Version: 2.6.18
>             Status: NEW
>           Severity: normal
>              Owner: [EMAIL PROTECTED]
>          Submitter: [EMAIL PROTECTED]
> 
> 
> Most recent kernel where this bug did not occur: 2.6.17.13
> 
> Distribution: Slackware 10.2
> 
> Problem Description:
> Applying TUNSETIFF ioctl needs root permissions that wasn't needed in previous
> versions. I was using qemu 0.8.2 (a virtual machine emulator) which uses a tap
> device to emulate a network between the guest and host operating system. 
> 
> The relevant part of the patch-2.6.18 file says:
> 
> diff --git a/drivers/net/tun.c b/drivers/net/tun.c
> index a1ed2d9..329d9fe 100644
> --- a/drivers/net/tun.c
> +++ b/drivers/net/tun.c
> @@ -39,7 +39,6 @@ #define DRV_VERSION   "1.6"
>  #define DRV_DESCRIPTION        "Universal TUN/TAP device driver"
>  #define DRV_COPYRIGHT  "(C) 1999-2004 Max Krasnyansky <[EMAIL PROTECTED]>"
> 
> -#include <linux/config.h>
>  #include <linux/module.h>
>  #include <linux/errno.h>
>  #include <linux/kernel.h>
> @@ -490,6 +489,9 @@ static int tun_set_iff(struct file *file
> 
>                 err = -EINVAL;
> 
> +               if (!capable(CAP_NET_ADMIN))
> +                       return -EPERM;
> +
>                 /* Set dev type */
>                 if (ifr->ifr_flags & IFF_TUN) {
>                         /* TUN device */ 
> ...
> 
> I was handling security by limiting access to /dev/net/tun from a privileged
> unix group, but now even if I can open the /dev/net/tun device, I need
> CAP_NET_ADMIN to use the TUNSETIFF ioctl.
> 

Changelog for ca6bb5d7ab22ac79f608fe6cbc6b12de6a5a19f0 says

    The tuntap driver allows an admin to create persistent devices and
    assign ownership of them to individual users. Unfortunately, relaxing
    the permissions on the /dev/net/tun device node so that they can
    actually use those devices will _also_ allow those users to create
    arbitrary new devices of their own. This patch corrects that, and
    adjusts the recommended permissions for the device node accordingly.

So I suspect you're out of luck.
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to