Fun with NULL pointers, part 1
Fun with NULL pointers, part 1
Posted Jul 20, 2009 22:25 UTC (Mon) by mjw (subscriber, #16740)Parent article: Fun with NULL pointers, part 1
On my CentOS systems it is:
crw------- 1 root root 10, 200 Jul 16 12:18 /dev/net/tun
so doesn't seem to be accessible by non-root normally.
Posted Jul 20, 2009 23:13 UTC (Mon)
by dwmw2 (subscriber, #2063)
[Link]
Posted Jul 20, 2009 23:18 UTC (Mon)
by eparis (guest, #33060)
[Link] (1 responses)
Posted Jul 21, 2009 16:10 UTC (Tue)
by dwmw2 (subscriber, #2063)
[Link]
It's been possible to make tun devices that can be used by non-root since February 2002.
However, it was only in June 2006 that we made it reasonable to have 0666 permissions on /dev/net/tun, by adding the CAP_NET_ADMIN checks before creating new devices.
The OpenConnect VPN client, when used in conjunction with its NetworkManager plugin, will use this facility to run as its own unprivileged user. After the stupid tmpfile races we saw in Cisco's own client which runs as root, it seemed like an appropriate design choice for limiting security exposure (even though I couldn't possibly be as incompetent as the Cisco engineers).
On up to date systems it should have mode 0666. Only users with CAP_NET_ADMIN can create new tun devices, but then they can be made persistent and given to specific users/groups — who need to be able to open /dev/net/tun in order to attach to them.
Fun with NULL pointers, part 1
Fun with NULL pointers, part 1
Fun with NULL pointers, part 1
"apparently some udev script which makes it world rw, I'm told (but haven't verified) that some VPN program changes it so they can run as normal users..."
Yes, the udev script creates it with mode 0666 because that's the recommended configuration.