diff options
| -rw-r--r-- | Documentation/networking/tuntap.txt | 11 | ||||
| -rw-r--r-- | drivers/net/tun.c | 3 |
2 files changed, 10 insertions, 4 deletions
diff --git a/Documentation/networking/tuntap.txt b/Documentation/networking/tuntap.txt index 76750fb9151a..839cbb71388b 100644 --- a/Documentation/networking/tuntap.txt +++ b/Documentation/networking/tuntap.txt | |||
| @@ -39,10 +39,13 @@ Copyright (C) 1999-2000 Maxim Krasnyansky <max_mk@yahoo.com> | |||
| 39 | mknod /dev/net/tun c 10 200 | 39 | mknod /dev/net/tun c 10 200 |
| 40 | 40 | ||
| 41 | Set permissions: | 41 | Set permissions: |
| 42 | e.g. chmod 0700 /dev/net/tun | 42 | e.g. chmod 0666 /dev/net/tun |
| 43 | if you want the device only accessible by root. Giving regular users the | 43 | There's no harm in allowing the device to be accessible by non-root users, |
| 44 | right to assign network devices is NOT a good idea. Users could assign | 44 | since CAP_NET_ADMIN is required for creating network devices or for |
| 45 | bogus network interfaces to trick firewalls or administrators. | 45 | connecting to network devices which aren't owned by the user in question. |
| 46 | If you want to create persistent devices and give ownership of them to | ||
| 47 | unprivileged users, then you need the /dev/net/tun device to be usable by | ||
| 48 | those users. | ||
| 46 | 49 | ||
| 47 | Driver module autoloading | 50 | Driver module autoloading |
| 48 | 51 | ||
diff --git a/drivers/net/tun.c b/drivers/net/tun.c index a1ed2d983740..6c62d5c88268 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c | |||
| @@ -490,6 +490,9 @@ static int tun_set_iff(struct file *file, struct ifreq *ifr) | |||
| 490 | 490 | ||
| 491 | err = -EINVAL; | 491 | err = -EINVAL; |
| 492 | 492 | ||
| 493 | if (!capable(CAP_NET_ADMIN)) | ||
| 494 | return -EPERM; | ||
| 495 | |||
| 493 | /* Set dev type */ | 496 | /* Set dev type */ |
| 494 | if (ifr->ifr_flags & IFF_TUN) { | 497 | if (ifr->ifr_flags & IFF_TUN) { |
| 495 | /* TUN device */ | 498 | /* TUN device */ |