lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 29 Jul 2011 16:28:08 +0200
From:	Petar Bogdanovic <petar@...kva.net>
To:	netdev@...r.kernel.org
Subject: [PATCH] drivers/net/tun.c: test for CAP_NET_ADMIN before attaching

The following change will test for CAP_NET_ADMIN before attaching, even
if both tun->owner and tun->group equal -1.  The latter scenario can be
reproduced with ip(8) from iproute2, when using `ip tuntap' without the
`user' and `group' option.


diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index 55f3a3e..2ac2cbc 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -988,35 +988,35 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
 	struct net_device *dev;
 	int err;
 
 	dev = __dev_get_by_name(net, ifr->ifr_name);
 	if (dev) {
 		const struct cred *cred = current_cred();
 
 		if (ifr->ifr_flags & IFF_TUN_EXCL)
 			return -EBUSY;
 		if ((ifr->ifr_flags & IFF_TUN) && dev->netdev_ops == &tun_netdev_ops)
 			tun = netdev_priv(dev);
 		else if ((ifr->ifr_flags & IFF_TAP) && dev->netdev_ops == &tap_netdev_ops)
 			tun = netdev_priv(dev);
 		else
 			return -EINVAL;
 
-		if (((tun->owner != -1 && cred->euid != tun->owner) ||
-		     (tun->group != -1 && !in_egroup_p(tun->group))) &&
-		    !capable(CAP_NET_ADMIN))
+		if (!(tun->owner != -1 && cred->euid == tun->owner ||
+		      tun->group != -1 && in_egroup_p(tun->group) ||
+		      capable(CAP_NET_ADMIN)))
 			return -EPERM;
 		err = security_tun_dev_attach(tun->socket.sk);
 		if (err < 0)
 			return err;
 
 		err = tun_attach(tun, file);
 		if (err < 0)
 			return err;
 	}
 	else {
 		char *name;
 		unsigned long flags = 0;
 
 		if (!capable(CAP_NET_ADMIN))
 			return -EPERM;
 		err = security_tun_dev_create();
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ