On Wed, Sep 22, 2010 at 07:09:55PM +0200, Stefan Sperling wrote: > In case you didn't know, there already is a way for non-privileged users > to open a tun/tap device if the admin allows sudo -C. > See the qemu port's README.OpenBSD for an example.
Theo pointed out that this doesn't work. The sudo -C workaround assumes that the user can run "sudo sh". So users get full privs and then drop them, rather than starting out will tun-only privs. I stand corrected.
