aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Woodhouse <dwmw2@infradead.org>2006-06-22 19:07:52 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2006-06-23 05:07:44 -0400
commitca6bb5d7ab22ac79f608fe6cbc6b12de6a5a19f0 (patch)
tree7255df98fa5692c498605d2bd80402ec866f134a
parentf4b8ea7849544114e9d3d682df4d400180854677 (diff)
[NET]: Require CAP_NET_ADMIN to create tuntap devices.
The tuntap driver allows an admin to create persistent devices and assign ownership of them to individual users. Unfortunately, relaxing the permissions on the /dev/net/tun device node so that they can actually use those devices will _also_ allow those users to create arbitrary new devices of their own. This patch corrects that, and adjusts the recommended permissions for the device node accordingly. Signed-off-By: David Woodhouse <dwmw2@infradead.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--Documentation/networking/tuntap.txt11
-rw-r--r--drivers/net/tun.c3
2 files changed, 10 insertions, 4 deletions
diff --git a/Documentation/networking/tuntap.txt b/Documentation/networking/tuntap.txt
index 76750fb9151a..839cbb71388b 100644
--- a/Documentation/networking/tuntap.txt
+++ b/Documentation/networking/tuntap.txt
@@ -39,10 +39,13 @@ Copyright (C) 1999-2000 Maxim Krasnyansky <max_mk@yahoo.com>
39 mknod /dev/net/tun c 10 200 39 mknod /dev/net/tun c 10 200
40 40
41 Set permissions: 41 Set permissions:
42 e.g. chmod 0700 /dev/net/tun 42 e.g. chmod 0666 /dev/net/tun
43 if you want the device only accessible by root. Giving regular users the 43 There's no harm in allowing the device to be accessible by non-root users,
44 right to assign network devices is NOT a good idea. Users could assign 44 since CAP_NET_ADMIN is required for creating network devices or for
45 bogus network interfaces to trick firewalls or administrators. 45 connecting to network devices which aren't owned by the user in question.
46 If you want to create persistent devices and give ownership of them to
47 unprivileged users, then you need the /dev/net/tun device to be usable by
48 those users.
46 49
47 Driver module autoloading 50 Driver module autoloading
48 51
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index a1ed2d983740..6c62d5c88268 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -490,6 +490,9 @@ static int tun_set_iff(struct file *file, struct ifreq *ifr)
490 490
491 err = -EINVAL; 491 err = -EINVAL;
492 492
493 if (!capable(CAP_NET_ADMIN))
494 return -EPERM;
495
493 /* Set dev type */ 496 /* Set dev type */
494 if (ifr->ifr_flags & IFF_TUN) { 497 if (ifr->ifr_flags & IFF_TUN) {
495 /* TUN device */ 498 /* TUN device */