Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

dev node write ignore permissions
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
DaggyStyle
Watchman
Watchman


Joined: 22 Mar 2006
Posts: 5929
PostPosted: Fri Jul 05, 2024 8:49 am    Post subject: dev node write ignore permissions Reply with quote
I'm testing a issue I've found on another distro that manifests in gentoo too.
I have this test program:
Code:

# include <linux/if.h>
# include <linux/if_tun.h>    /* IFF_TUN, IFF_NO_PI */
#include <stddef.h>
#include <stdlib.h>
# include <sys/ioctl.h>
#include <fcntl.h>
#include <errno.h>
#include <stdio.h>


enum {
   VIR_NETDEV_TAP_CREATE_NONE = 0,
   /* Bring the interface up */
   VIR_NETDEV_TAP_CREATE_IFUP               = 1 << 0,
   /* Enable IFF_VNET_HDR on the tap device */
   VIR_NETDEV_TAP_CREATE_VNET_HDR           = 1 << 1,
   /* Set this interface's MAC as the bridge's MAC address */
   VIR_NETDEV_TAP_CREATE_USE_MAC_FOR_BRIDGE = 1 << 2,
   /* The device will persist after the file descriptor is closed */
   VIR_NETDEV_TAP_CREATE_PERSIST            = 1 << 3,
   /* The device is allowed to exist before creation */
   VIR_NETDEV_TAP_CREATE_ALLOW_EXISTING     = 1 << 4,
};

int main()
{
        int fd;
        char *tunpath = "/dev/net/tun";
        size_t tapfdSize = 1;
        struct ifreq ifr = { 0 };
        unsigned int flags = VIR_NETDEV_TAP_CREATE_IFUP;
        if (1)
                flags |= VIR_NETDEV_TAP_CREATE_VNET_HDR;

        if ((fd = open(tunpath, O_RDWR)) < 0) {
            perror("Unable to open, is tun module loaded?");
            exit(1);
        }

        snprintf(ifr.ifr_name, 5, "vnet", 0);
        ifr.ifr_flags = IFF_TAP | IFF_NO_PI;
        /* If tapfdSize is greater than one, request multiqueue */
        if (tapfdSize > 1)
            ifr.ifr_flags |= IFF_MULTI_QUEUE;

        if (flags &  VIR_NETDEV_TAP_CREATE_VNET_HDR)
            ifr.ifr_flags |= IFF_VNET_HDR;

        if (ioctl(fd, TUNSETIFF, &ifr) < 0) {
            perror("Unable to create tap device");
        }

        return 0;
}

I compile it and run it as root and as dagg
on root the ioctl works, on dagg it doesn't.
the output in the latter case is this:
Unable to create tap device: Operation not permitted

the file's permission is this:
crw-rw-rw- 1 root dagg 10, 200 Jul 5 11:35 /dev/net/tun

looking at the code I see this might be relevant to namespaces, if that is the case, why do permissions are even needed anymore?
_________________
Only two things are infinite, the universe and human stupidity and I'm not sure about the former - Albert Einstein
Back to top
View user's profile Send private message
DaggyStyle
Watchman
Watchman


Joined: 22 Mar 2006
Posts: 5929
PostPosted: Sat Jul 06, 2024 3:58 pm    Post subject: Reply with quote
after digging in the kernel, I have a hunch, I think I need to allow net admin cap for the binary.
so, how can I set net admin cap for a command for a group? I found how to do it for user, I can write a script that finds all the users in a group and sets ability for it
but I rather try not reinvent the wheel if needed
_________________
Only two things are infinite, the universe and human stupidity and I'm not sure about the former - Albert Einstein
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5050
Location: Bavaria
PostPosted: Sat Jul 06, 2024 8:03 pm    Post subject: Reply with quote
DaggyStyle wrote:
after digging in the kernel, I have a hunch, I think I need to allow net admin cap for the binary.
so, how can I set net admin cap for a command for a group? [...]

Do you mean "setcap" ? (see "man setcap"; also "man capabilities")

Example:
Code:
# getcap /usr/bin/ping
/usr/bin/ping cap_net_raw=ep

_________________
https://wiki.gentoo.org/wiki/User:Pietinger
Back to top
View user's profile Send private message
DaggyStyle
Watchman
Watchman


Joined: 22 Mar 2006
Posts: 5929
PostPosted: Sat Jul 06, 2024 10:00 pm    Post subject: Reply with quote
pietinger wrote:
DaggyStyle wrote:
after digging in the kernel, I have a hunch, I think I need to allow net admin cap for the binary.
so, how can I set net admin cap for a command for a group? [...]

Do you mean "setcap" ? (see "man setcap"; also "man capabilities")

Example:
Code:
# getcap /usr/bin/ping
/usr/bin/ping cap_net_raw=ep

not quite, if I'm not mistaken, this changes it to all users and not only for a group of them.
I think pam_cap.so is what I need
will report back when I'll have it working
_________________
Only two things are infinite, the universe and human stupidity and I'm not sure about the former - Albert Einstein
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy