From ca6bb5d7ab22ac79f608fe6cbc6b12de6a5a19f0 Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Thu, 22 Jun 2006 16:07:52 -0700 Subject: [NET]: Require CAP_NET_ADMIN to create tuntap devices. The tuntap driver allows an admin to create persistent devices and assign ownership of them to individual users. Unfortunately, relaxing the permissions on the /dev/net/tun device node so that they can actually use those devices will _also_ allow those users to create arbitrary new devices of their own. This patch corrects that, and adjusts the recommended permissions for the device node accordingly. Signed-off-By: David Woodhouse Signed-off-by: David S. Miller --- drivers/net/tun.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'drivers') diff --git a/drivers/net/tun.c b/drivers/net/tun.c index a1ed2d98374..6c62d5c8826 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -490,6 +490,9 @@ static int tun_set_iff(struct file *file, struct ifreq *ifr) err = -EINVAL; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + /* Set dev type */ if (ifr->ifr_flags & IFF_TUN) { /* TUN device */ -- cgit v1.2.3