lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Sun, 19 Aug 2007 18:05:26 +0200
From:	Bodo Eggert <7eggert@....de>
To:	Mike Mohr <akihana@...il.com>, linux-kernel@...r.kernel.org
Subject: Re: group ownership of tun devices -- nonfunctional?

Mike Mohr <akihana@...il.com> wrote:

(intentionally not snipping much)

> Per the post here:
> 
> http://lkml.org/lkml/2007/6/18/228
> 
> it appears that the group ownership patch has made it into .23.  I am
> using these patches, amongst which the kernel component appears to be
> identical:
> 
> http://sigxcpu.org/unsorted-patches/0001-allow-tun-ownership-by-group.patch
> http://sigxcpu.org/unsorted-patches/tunctl_gid.diff
> 
> I can create devices that are owned by my user account (tunctl -u
> `whoami` -t tap0) and it works fine.  However, if I use group
> permissions with -g it stops working.  In all cases, if I pass -g
> <group>, the interface is created correctly but it is unusable as a
> non-root user.
> 
> So my question is: am I doing something wrong?  If I am, I don't see
> it.  Assuming then that I am not doing anything wrong on my end, I
> assume then that there is something missing from the kernel patch I
> applied.  I read over it and I can't see any issues, especially
> considering that tunctl comes back without error (even with -g) and
> creates an interface.
> 
> Just wondering if this was an issue that should be looked into--


IMHO the check is broken:

+               if (((tun->owner != -1 &&
+                     current->euid != tun->owner) ||
+                    (tun->group != -1 &&
+                     current->egid != tun->group)) &&
+                    !capable(CAP_NET_ADMIN))
                        return -EPERM;

It should be something like:

+               if (!((tun->owner == tun->owner) ||
+                     (tun->group == tun->group) ||
+                     capable(CAP_NET_ADMIN)))
                        return -EPERM;

Please verify and forward to the maintainers if my guess appears to be correct.
-- 
Never stand when you can sit, never sit when you can lie down, never stay
awake when you can sleep.

Friß, Spammer: xxh@...txp.7eggert.dyndns.org
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ