Date: Sun, 04 Feb 2007 21:49:00 +0000 From: "Bruce M. Simpson" <bms@FreeBSD.org> To: Robert Watson <rwatson@FreeBSD.org> Cc: cvs-src@FreeBSD.org, src-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/net if_tap.c if_tun.c src/share/man/man4 tap.4 tun.4 Message-ID: <45C654CC.6040202@FreeBSD.org> In-Reply-To: <20070204202722.K91177@fledge.watson.org> References: <200702041632.l14GWlwX033519@repoman.freebsd.org> <20070204202722.K91177@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Robert Watson wrote: > > Perhaps the tapclone privilege check should also check tapuopen, as > the open check does? > You mean like this? Haven't tested this, but it feels right (let users create tap/tun interfaces if the user_open sysctl is enabled):- Index: if_tap.c =================================================================== RCS file: /home/ncvs/src/sys/net/if_tap.c,v retrieving revision 1.69 diff -u -p -r1.69 if_tap.c --- if_tap.c 4 Feb 2007 16:32:46 -0000 1.69 +++ if_tap.c 4 Feb 2007 21:48:04 -0000 @@ -340,11 +340,7 @@ tapclone(void *arg, struct ucred *cred, if (*dev != NULL) return; - /* - * If tap cloning is enabled, only the superuser can create - * an interface. - */ - if (!tapdclone || priv_check_cred(cred, PRIV_NET_IFCREATE, 0) != 0) + if (!tapuopen && priv_check_cred(cred, PRIV_NET_IFCREATE, 0) != 0) return; unit = 0; Exit 1
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45C654CC.6040202>