Re: group ownership of tun devices -- nonfunctional?
From: Bodo Eggert
Date: Sun Aug 19 2007 - 17:43:02 EST
On Sun, 19 Aug 2007, Rene Herman wrote:
> On 08/19/2007 06:05 PM, Bodo Eggert wrote:
>
> > IMHO the check is broken:
> >
> > + if (((tun->owner != -1 &&
> > + current->euid != tun->owner) ||
> > + (tun->group != -1 &&
> > + current->egid != tun->group)) &&
> > + !capable(CAP_NET_ADMIN))
> > return -EPERM;
> >
> > It should be something like:
> >
> > + if (!((tun->owner == tun->owner) ||
> > + (tun->group == tun->group) ||
>
> ???
Argh, I edited asuming the same order of variables. Substitute
current->e{uid,gid} for one of the sides.
> > + capable(CAP_NET_ADMIN)))
> > return -EPERM;
The intended semantics is If the user is not
* the allowed user
or
* member of the allowed group
or
* cabable of CAP_NET_ADMIN
then error out. I'm asuming
Thinking about it, maybe you should check each group, not just the
effective group. In that case, my change would be still wrong. However,
I'm not going to fix this anytime soon.
--
Funny quotes:
15. I drive way too fast to worry about cholesterol.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/