Date: Sun, 04 Feb 2007 21:49:00 +0000 From: "Bruce M. Simpson" <bms@FreeBSD.org> To: Robert Watson <rwatson@FreeBSD.org> Cc: cvs-src@FreeBSD.org, src-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/net if_tap.c if_tun.c src/share/man/man4 tap.4 tun.4 Message-ID: <45C654CC.6040202@FreeBSD.org> In-Reply-To: <20070204202722.K91177@fledge.watson.org> References: <200702041632.l14GWlwX033519@repoman.freebsd.org> <20070204202722.K91177@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Robert Watson wrote:
>
> Perhaps the tapclone privilege check should also check tapuopen, as
> the open check does?
>
You mean like this? Haven't tested this, but it feels right (let users
create tap/tun interfaces if the user_open sysctl is enabled):-
Index: if_tap.c
===================================================================
RCS file: /home/ncvs/src/sys/net/if_tap.c,v
retrieving revision 1.69
diff -u -p -r1.69 if_tap.c
--- if_tap.c 4 Feb 2007 16:32:46 -0000 1.69
+++ if_tap.c 4 Feb 2007 21:48:04 -0000
@@ -340,11 +340,7 @@ tapclone(void *arg, struct ucred *cred,
if (*dev != NULL)
return;
- /*
- * If tap cloning is enabled, only the superuser can create
- * an interface.
- */
- if (!tapdclone || priv_check_cred(cred, PRIV_NET_IFCREATE, 0) != 0)
+ if (!tapuopen && priv_check_cred(cred, PRIV_NET_IFCREATE, 0) != 0)
return;
unit = 0;
Exit 1
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45C654CC.6040202>