From: Michael Tokarev <mjt@tls.msk.ru>
To: netdev <netdev@vger.kernel.org>, Guido Guenther <agx@sigxcpu.org>
Subject: re: Allow group ownership of TUN/TAP devices.
Date: Mon, 02 Feb 2009 17:18:53 +0300 [thread overview]
Message-ID: <498700CD.2030403@msgid.tls.msk.ru> (raw)
Hi. Just noticed an old commit 8c644623fe7e41f59fe97cdf666cba3cb7ced7d8
dated Mon Jul 2 22:50:25 2007 -0700 that allows group ownership for
tun/tap devices. Here's the comment:
[NET]: Allow group ownership of TUN/TAP devices.
Introduce a new syscall TUNSETGROUP for group ownership setting of tap
devices. The user now is allowed to send packages if either his euid or
his egid matches the one specified via tunctl (via -u or -g
respecitvely). If both, gid and uid, are set via tunctl, both have to
match.
Two questions:
1: why both has to match? Is it really useful?
(I understand it's a corner case, somehow)
2, and this is the main one: How about supplementary groups?
Here I have a valid usage case: a group of testers running various
versions of windows using KVM (kernel virtual machine), 1 at a time,
to test some software. kvm is set up to use bridge with a tap device
(there should be a way to connect to the machine). Anyone on that group
has to be able to start/stop the virtual machines.
My first attempt - pretty obvious when I saw -g option of tunctl - is
to add group ownership for the tun device and add a supplementary group
to each user (their primary group should be different). But that fails,
since kernel only checks for egid, not any other group ids.
What's the reasoning to not allow supplementary groups and to only check
for egid?
Thanks!
/mjt
next reply other threads:[~2009-02-02 14:18 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-02-02 14:18 Michael Tokarev [this message]
2009-02-02 14:44 ` Allow group ownership of TUN/TAP devices Michael Tokarev
2009-02-03 7:35 ` David Miller
2009-02-05 10:54 ` Guido Günther
2009-03-24 18:10 ` Michael Tokarev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=498700CD.2030403@msgid.tls.msk.ru \
--to=mjt@tls.msk.ru \
--cc=agx@sigxcpu.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).