From owner-freebsd-net@FreeBSD.ORG  Wed Mar 14 13:29:43 2007
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@FreeBSD.org
Delivered-To: freebsd-net@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id EE4F416A409;
	Wed, 14 Mar 2007 13:29:43 +0000 (UTC)
	(envelope-from frank@pinky.sax.de)
Received: from pinky.frank-behrens.de (pinky.frank-behrens.de [82.139.199.24])
	by mx1.freebsd.org (Postfix) with ESMTP id 5DB2213C48C;
	Wed, 14 Mar 2007 13:29:43 +0000 (UTC)
	(envelope-from frank@pinky.sax.de)
Received: from [192.168.20.32] (sun.behrens [192.168.20.32])
	by pinky.frank-behrens.de (8.13.8/8.13.8) with ESMTP id l2EDTfuJ089208; 
	Wed, 14 Mar 2007 14:29:41 +0100 (CET)
	(envelope-from frank@pinky.sax.de)
Message-Id: <200703141329.l2EDTfuJ089208@pinky.frank-behrens.de>
From: "Frank Behrens" <frank@pinky.sax.de>
To: "Bruce M. Simpson" <bms@FreeBSD.org>
Date: Wed, 14 Mar 2007 14:29:48 +0100
MIME-Version: 1.0
Priority: normal
In-reply-to: <45F7F405.4040607@FreeBSD.org>
References: <200703141213.l2ECDntN087975@pinky.frank-behrens.de>
X-mailer: Pegasus Mail for Windows (4.31, DE v4.31 R1)
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Content-description: Mail message body
Cc: freebsd-net@FreeBSD.org
Subject: Re: tap(4) should go UP if opened
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Mar 2007 13:29:44 -0000

Bruce,
many thanks for your fast response.

Bruce M. Simpson <bms@FreeBSD.org> wrote on 14 Mar 2007 13:09:
> The conditional in the second patch is a no-op as the open will be 
> forbidden if the user did not have privilege to open the tap. Bringing 

No. A process running with root rights can always open the tap.

> the interface up by default potentially violates POLA, so this should 
> not happen by default.

Ok, I see that the behaviour changes. 

I wonder who used the "tap user open" sysctl, when additional root rights are necessary to 
bring the interface UP? I can't imagine a setup where this could be used, somebody else?

> Please try the attached patch, which puts this behaviour under a sysctl.

Fine! This should work without problems. I agree with this solution, sounds good. I'll test it 
and report the result.

Regards and thanks for your support,
   Frank
-- 
Frank Behrens, Osterwieck, Germany
PGP-key 0x5B7C47ED on public servers available.