From mi@misha.cisco.com Tue Jun 1 10:20:22 1999 Return-Path: Received: from misha.cisco.com (misha.cisco.com [171.69.206.50]) by hub.freebsd.org (Postfix) with ESMTP id 6096614E63 for ; Tue, 1 Jun 1999 10:20:14 -0700 (PDT) (envelope-from mi@misha.cisco.com) Received: (from mi@localhost) by misha.cisco.com (8.9.2/8.9.1) id NAA44297; Tue, 1 Jun 1999 13:20:13 -0400 (EDT) (envelope-from mi) Message-Id: <199906011720.NAA44297@misha.cisco.com> Date: Tue, 1 Jun 1999 13:20:13 -0400 (EDT) From: Mikhail Teterin Reply-To: mi@aldan.algebra.com To: FreeBSD-gnats-submit@freebsd.org Cc: brian@Awfulhak.org Subject: access to tunN devices not allowed to non-root despite permissions X-Send-Pr-Version: 3.2 >Number: 11981 >Category: kern >Synopsis: access to tunN devices not allowed to non-root despite permissions >Confidential: no >Severity: non-critical >Priority: medium >Responsible: brian >State: closed >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Jun 1 10:30:02 PDT 1999 >Closed-Date: Sat Feb 3 20:20:50 PST 2001 >Last-Modified: Sat Feb 03 20:24:57 PST 2001 >Originator: Mikhail Teterin >Release: FreeBSD 3.1-STABLE i386 >Organization: Virtual Estates, Inc. >Environment: >Description: Despite the proper permissions on the /dev/tun? files, the tun-devices can only be opened by root. It seems, the tun-driver checks for this, without an obvious good reason... In addition, I'd like to be able to delegate an interface configuration to a non-root user, who is able to write to the device... >How-To-Repeat: mi@chubby:~ (84) ls -l /dev/tun3 crw-rw---- 1 mi dialer 52, 3 Jun 1 11:00 /dev/tun3 mi@chubby:~ (85) groups mi dialer operator wheel mi@chubby:~ (86) cat /dev/tun3 cat: /dev/tun3: Operation not permitted mi@chubby:~ (87) whoami mi >Fix: >Release-Note: >Audit-Trail: From: Chris Costello To: mi@aldan.algebra.com Cc: FreeBSD-gnats-submit@FreeBSD.ORG, brian@Awfulhak.org Subject: Re: kern/11981: access to tunN devices not allowed to non-root despite permissions Date: Tue, 1 Jun 1999 12:34:33 -0500 On Tue, Jun 1, 1999, Mikhail Teterin wrote: > mi@chubby:~ (84) ls -l /dev/tun3 > crw-rw---- 1 mi dialer 52, 3 Jun 1 11:00 /dev/tun3 > mi@chubby:~ (85) groups > mi dialer operator wheel > mi@chubby:~ (86) cat /dev/tun3 > cat: /dev/tun3: Operation not permitted > mi@chubby:~ (87) whoami > mi No, it just means you can't use 'cat' on tunX. Try running 'ppp' with it. -- Chris Costello A paperless office has about as much chance as a paperless bathroom. From: Mikhail Teterin To: chris@calldei.com Cc: mi@aldan.algebra.com, FreeBSD-gnats-submit@FreeBSD.ORG, brian@Awfulhak.org Subject: Re: kern/11981: access to tunN devices not allowed to non-root despite permissions Date: Tue, 1 Jun 1999 13:46:15 -0400 (EDT) Chris Costello once wrote: > On Tue, Jun 1, 1999, Mikhail Teterin wrote: > > mi@chubby:~ (84) ls -l /dev/tun3 > > crw-rw---- 1 mi dialer 52, 3 Jun 1 11:00 /dev/tun3 > > mi@chubby:~ (85) groups > > mi dialer operator wheel > > mi@chubby:~ (86) cat /dev/tun3 > > cat: /dev/tun3: Operation not permitted > > mi@chubby:~ (87) whoami > > mi > > No, it just means you can't use 'cat' on tunX. Try running 'ppp' > with it. Aha, and what's so special about cat(1)? I can not open(2) the file, despite favorable permissions, that's it. cat is just an example. Ppp works, because it is suid root. Yours, -mi State-Changed-From-To: open->closed State-Changed-By: brian State-Changed-When: Tue Jun 1 12:35:56 PDT 1999 State-Changed-Why: This is not a software bug. As I said in my mail, there's no point in being able to read/write /dev/tun* because you haven't got permission to configure the interface anyway. As most interfaces have no associated device in /dev, there is no facility in the kernel for anyone except root to add & remove routes etc. It would be plausable to add that facility (IMHO), but the lack of that facility doesn't constitute a bug. Translation: It's an enhancment - you'd need to discuss it on -hackers and then probably implement it yourself if you want it to happen. State-Changed-From-To: closed->open State-Changed-By: brian State-Changed-When: Tue Jun 1 17:51:02 PDT 1999 State-Changed-Why: The use of suser() *is* an issue here and is probably wrong. This PR can stay open 'till someone does something about it. Responsible-Changed-From-To: freebsd-bugs->brian Responsible-Changed-By: brian Responsible-Changed-When: Tue Jun 1 17:52:03 PDT 1999 Responsible-Changed-Why: I'll be reworking the tun device soon, so I may as well keep this in mind. From: Chris Costello To: Mikhail Teterin Cc: chris@calldei.com, FreeBSD-gnats-submit@FreeBSD.ORG, brian@Awfulhak.org Subject: Re: kern/11981: access to tunN devices not allowed to non-root despite permissions Date: Wed, 2 Jun 1999 09:16:53 -0500 On Tue, Jun 1, 1999, Mikhail Teterin wrote: > Chris Costello once wrote: > > > On Tue, Jun 1, 1999, Mikhail Teterin wrote: > > > mi@chubby:~ (84) ls -l /dev/tun3 > > > crw-rw---- 1 mi dialer 52, 3 Jun 1 11:00 /dev/tun3 > > > mi@chubby:~ (85) groups > > > mi dialer operator wheel > > > mi@chubby:~ (86) cat /dev/tun3 > > > cat: /dev/tun3: Operation not permitted > > > mi@chubby:~ (87) whoami > > > mi > > > > No, it just means you can't use 'cat' on tunX. Try running 'ppp' > > with it. > > Aha, and what's so special about cat(1)? I can not open(2) the file, > despite favorable permissions, that's it. cat is just an example. Ppp > works, because it is suid root. Yours, Hmm. So you were right; I tried the wrong set of 'things' (for lack of a better word). > -mi -- Chris Costello ..... REALITY.SYS Corrupted - Unable to recover Universe State-Changed-From-To: open->closed State-Changed-By: brian State-Changed-When: Sat Feb 3 20:20:50 PST 2001 State-Changed-Why: -current now allows non-root users to open /dev/tun* Non-root users still can't configure the interface, but that's a different feature.... http://www.freebsd.org/cgi/query-pr.cgi?pr=11981 >Unformatted: