From mi@misha.cisco.com Tue Jun  1 10:20:22 1999
Return-Path: <mi@misha.cisco.com>
Received: from misha.cisco.com (misha.cisco.com [171.69.206.50])
	by hub.freebsd.org (Postfix) with ESMTP id 6096614E63
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  1 Jun 1999 10:20:14 -0700 (PDT)
	(envelope-from mi@misha.cisco.com)
Received: (from mi@localhost)
	by misha.cisco.com (8.9.2/8.9.1) id NAA44297;
	Tue, 1 Jun 1999 13:20:13 -0400 (EDT)
	(envelope-from mi)
Message-Id: <199906011720.NAA44297@misha.cisco.com>
Date: Tue, 1 Jun 1999 13:20:13 -0400 (EDT)
From: Mikhail Teterin <mi@misha.cisco.com>
Reply-To: mi@aldan.algebra.com
To: FreeBSD-gnats-submit@freebsd.org
Cc: brian@Awfulhak.org
Subject: access to tunN devices not allowed to non-root despite permissions
X-Send-Pr-Version: 3.2

>Number:         11981
>Category:       kern
>Synopsis:       access to tunN devices not allowed to non-root despite permissions
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    brian
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jun  1 10:30:02 PDT 1999
>Closed-Date:    Sat Feb 3 20:20:50 PST 2001
>Last-Modified:  Sat Feb 03 20:24:57 PST 2001
>Originator:     Mikhail Teterin
>Release:        FreeBSD 3.1-STABLE i386
>Organization:
Virtual Estates, Inc.
>Environment:

>Description:

	Despite the proper permissions on the /dev/tun? files, the tun-devices
	can only be opened by root. It seems, the tun-driver checks for this,
	without an obvious good reason...
	
	In addition, I'd like to be able to delegate an interface configuration
	to a non-root user, who is able to write to the device...

>How-To-Repeat:

	mi@chubby:~ (84) ls -l /dev/tun3
	crw-rw----  1 mi  dialer   52,   3 Jun  1 11:00 /dev/tun3
	mi@chubby:~ (85) groups
	mi dialer operator wheel
	mi@chubby:~ (86) cat /dev/tun3
	cat: /dev/tun3: Operation not permitted
	mi@chubby:~ (87) whoami
	mi


>Fix:

>Release-Note:
>Audit-Trail:

From: Chris Costello <chris@calldei.com>
To: mi@aldan.algebra.com
Cc: FreeBSD-gnats-submit@FreeBSD.ORG, brian@Awfulhak.org
Subject: Re: kern/11981: access to tunN devices not allowed to non-root despite permissions
Date: Tue, 1 Jun 1999 12:34:33 -0500

 On Tue, Jun 1, 1999, Mikhail Teterin wrote:
 > 	mi@chubby:~ (84) ls -l /dev/tun3
 > 	crw-rw----  1 mi  dialer   52,   3 Jun  1 11:00 /dev/tun3
 > 	mi@chubby:~ (85) groups
 > 	mi dialer operator wheel
 > 	mi@chubby:~ (86) cat /dev/tun3
 > 	cat: /dev/tun3: Operation not permitted
 > 	mi@chubby:~ (87) whoami
 > 	mi
 
    No, it just means you can't use 'cat' on tunX.  Try running
 'ppp' with it.
 
 -- 
 Chris Costello                                <chris@calldei.com>
 A paperless office has about as much chance as a paperless bathroom.
 

From: Mikhail Teterin <mi@aldan.algebra.com>
To: chris@calldei.com
Cc: mi@aldan.algebra.com, FreeBSD-gnats-submit@FreeBSD.ORG,
	brian@Awfulhak.org
Subject: Re: kern/11981: access to tunN devices not allowed to non-root despite permissions
Date: Tue, 1 Jun 1999 13:46:15 -0400 (EDT)

 Chris Costello once wrote:
 
 > On Tue, Jun 1, 1999, Mikhail Teterin wrote:
 > > 	mi@chubby:~ (84) ls -l /dev/tun3
 > > 	crw-rw----  1 mi  dialer   52,   3 Jun  1 11:00 /dev/tun3
 > > 	mi@chubby:~ (85) groups
 > > 	mi dialer operator wheel
 > > 	mi@chubby:~ (86) cat /dev/tun3
 > > 	cat: /dev/tun3: Operation not permitted
 > > 	mi@chubby:~ (87) whoami
 > > 	mi
 > 
 >    No, it  just means you can't  use 'cat' on tunX.  Try running 'ppp'
 > with it.
 
 Aha, and  what's so special  about cat(1)? I  can not open(2)  the file,
 despite favorable  permissions, that's it.  cat is just an  example. Ppp
 works, because it is suid root. Yours,
 
 	-mi
 
State-Changed-From-To: open->closed 
State-Changed-By: brian 
State-Changed-When: Tue Jun 1 12:35:56 PDT 1999 
State-Changed-Why:  
This is not a software bug. 
As I said in my mail, there's no point in being able to read/write 
/dev/tun* because you haven't got permission to configure the interface 
anyway. 

As most interfaces have no associated device in /dev, there is no facility 
in the kernel for anyone except root to add & remove routes etc. 

It would be plausable to add that facility (IMHO), but the lack of that 
facility doesn't constitute a bug. 

Translation:  It's an enhancment - you'd need to discuss it on -hackers 
and then probably implement it yourself if you want it to happen. 
State-Changed-From-To: closed->open 
State-Changed-By: brian 
State-Changed-When: Tue Jun 1 17:51:02 PDT 1999 
State-Changed-Why:  
The use of suser() *is* an issue here and is probably wrong. 
This PR can stay open 'till someone does something about it. 
Responsible-Changed-From-To: freebsd-bugs->brian 
Responsible-Changed-By: brian 
Responsible-Changed-When: Tue Jun 1 17:52:03 PDT 1999 
Responsible-Changed-Why:  
I'll be reworking the tun device soon, so I may as well keep this in mind. 

From: Chris Costello <chris@calldei.com>
To: Mikhail Teterin <mi@aldan.algebra.com>
Cc: chris@calldei.com, FreeBSD-gnats-submit@FreeBSD.ORG,
	brian@Awfulhak.org
Subject: Re: kern/11981: access to tunN devices not allowed to non-root despite permissions
Date: Wed, 2 Jun 1999 09:16:53 -0500

 On Tue, Jun 1, 1999, Mikhail Teterin wrote:
 > Chris Costello once wrote:
 > 
 > > On Tue, Jun 1, 1999, Mikhail Teterin wrote:
 > > > 	mi@chubby:~ (84) ls -l /dev/tun3
 > > > 	crw-rw----  1 mi  dialer   52,   3 Jun  1 11:00 /dev/tun3
 > > > 	mi@chubby:~ (85) groups
 > > > 	mi dialer operator wheel
 > > > 	mi@chubby:~ (86) cat /dev/tun3
 > > > 	cat: /dev/tun3: Operation not permitted
 > > > 	mi@chubby:~ (87) whoami
 > > > 	mi
 > > 
 > >    No, it  just means you can't  use 'cat' on tunX.  Try running 'ppp'
 > > with it.
 > 
 > Aha, and  what's so special  about cat(1)? I  can not open(2)  the file,
 > despite favorable  permissions, that's it.  cat is just an  example. Ppp
 > works, because it is suid root. Yours,
 
    Hmm.  So you were right; I tried the wrong set of 'things'
 (for lack of a better word).
 
 > 	-mi
 
 -- 
 Chris Costello                                <chris@calldei.com>
 ..... REALITY.SYS Corrupted - Unable to recover Universe
 
State-Changed-From-To: open->closed 
State-Changed-By: brian 
State-Changed-When: Sat Feb 3 20:20:50 PST 2001 
State-Changed-Why:  
-current now allows non-root users to open /dev/tun* 

Non-root users still can't configure the interface, but 
that's a different feature.... 

http://www.freebsd.org/cgi/query-pr.cgi?pr=11981 
>Unformatted:
