On Wed, Sep 22, 2010 at 07:04:35PM -0700, Matthew Dempsky wrote: > On Wed, Sep 22, 2010 at 07:09:55PM +0200, Stefan Sperling wrote: > > FreeBSD has a sysctl to disable the super user check for tap devices > > (the equivalent of OpenBSD's tun device with the link0 flag set), > > off by default: > > http://svn.freebsd.org/viewvc/base/head/sys/net/if_tap.c?revision=205222&view=markup > > SYSCTL_INT(_net_link_tap, OID_AUTO, user_open, CTLFLAG_RW, &tapuopen, 0, > > "Allow user to open /dev/tap (based on node permissions)"); > > > > I suppose that's a bit safer than relying on device file perms alone, > > in case the perms get changed accidentally or via some attack vector. > > I think that's ridiculous. How do you prevent the sysctl accidentally > changing too then?
You don't. > We already have knobs to control who can open tun(4) devices: they're > called filesystem permissions. It's just about having another barrier by default. It boils down to whether we're paranoid enough to believe that someone might be able to circumvent tun device file permissions without the admin's consent, for whatever reason. But whatever. My complaint has been registered. I'll think about it some more. If I care enough I'll send a diff. > > A tap device can inject arbitrary packets on the local network, > > like a raw socket. > > Yes, but only on the local tun(4) interface's virtual network. It > doesn't let you inject arbitrary packets on other interfaces. Depends. A tun device can do layer 2, and can be part of a bridge. > There's no more risk to having an attacker holding a tun(4) device > than there is from one directly connecting to an Ethernet port on your > machine. That is true.
