---

yaml --- r: 29186 b: refs/heads/master c: ca6bb5d h: refs/heads/master v: v3
git-mirror · Jun 23, 2006 · d7f3e6f · d7f3e6f
1 parent 9b0e400
commit d7f3e6f
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 5 deletions.
diff --git a/[refs] b/[refs]
@@ -1,2 +1,2 @@
 ---
-refs/heads/master: f4b8ea7849544114e9d3d682df4d400180854677
+refs/heads/master: ca6bb5d7ab22ac79f608fe6cbc6b12de6a5a19f0
diff --git a/trunk/Documentation/networking/tuntap.txt b/trunk/Documentation/networking/tuntap.txt
@@ -39,10 +39,13 @@ Copyright (C) 1999-2000 Maxim Krasnyansky <max_mk@yahoo.com>
      mknod /dev/net/tun c 10 200
 
   Set permissions:
-     e.g. chmod 0700 /dev/net/tun
-     if you want the device only accessible by root. Giving regular users the
-     right to assign network devices is NOT a good idea. Users could assign
-     bogus network interfaces to trick firewalls or administrators.
+     e.g. chmod 0666 /dev/net/tun
+     There's no harm in allowing the device to be accessible by non-root users,
+     since CAP_NET_ADMIN is required for creating network devices or for 
+     connecting to network devices which aren't owned by the user in question.
+     If you want to create persistent devices and give ownership of them to 
+     unprivileged users, then you need the /dev/net/tun device to be usable by
+     those users.
 
   Driver module autoloading
 

diff --git a/trunk/drivers/net/tun.c b/trunk/drivers/net/tun.c
@@ -490,6 +490,9 @@ static int tun_set_iff(struct file *file, struct ifreq *ifr)
 
 		err = -EINVAL;
 
+		if (!capable(CAP_NET_ADMIN))
+			return -EPERM;
+
 		/* Set dev type */
 		if (ifr->ifr_flags & IFF_TUN) {
 			/* TUN device */