On Sun Nov 29, 2020 at 9:59 PM CET, Jason A. Donenfeld wrote: > Alright. Well, if you do think of good reasons why NCO is not a good > match for unpriv'd WireGuard control, please let me know. The whole > basis of going that route is the apparent intuition that these two > types of things, network modification and tunnel up/down, are one and > the same. But if you have in mind a way where the analogy breaks down, I had actually never thought about this specifically before this discussion, but after deploying v0.3 I realized that network modification and tunnel up/down are /not/ one and the same!
It makes sense that an employee, or even I when running as a non-admin, would be able to up/down interfaces; but not create, modify or delete them. It's the same with software: a standard user cannot install it or uninstall it, but [s]he can use it. I think this model really works well. I'm happy with it. Riccardo
