On Wed, Sep 22, 2010 at 07:09:55PM +0200, Stefan Sperling wrote: > FreeBSD has a sysctl to disable the super user check for tap devices > (the equivalent of OpenBSD's tun device with the link0 flag set), > off by default: > http://svn.freebsd.org/viewvc/base/head/sys/net/if_tap.c?revision=205222&view=markup > SYSCTL_INT(_net_link_tap, OID_AUTO, user_open, CTLFLAG_RW, &tapuopen, 0, > "Allow user to open /dev/tap (based on node permissions)"); > > I suppose that's a bit safer than relying on device file perms alone, > in case the perms get changed accidentally or via some attack vector.
I think that's ridiculous. How do you prevent the sysctl accidentally changing too then? We already have knobs to control who can open tun(4) devices: they're called filesystem permissions. > A tap device can inject arbitrary packets on the local network, > like a raw socket. Yes, but only on the local tun(4) interface's virtual network. It doesn't let you inject arbitrary packets on other interfaces. There's no more risk to having an attacker holding a tun(4) device than there is from one directly connecting to an Ethernet port on your machine. > If a variant of this diff gets committed, you should adjust the EPERM > error documentation in the tun(4) man page, too. Ah, nice catch. Fixed.
