Message ID | 498706D2.5070003@msgid.tls.msk.ru |
---|---|
State | Accepted, archived |
Delegated to: | David Miller |
Headers | show |
From: Michael Tokarev <mjt@tls.msk.ru> Date: Mon, 02 Feb 2009 17:44:34 +0300 > Michael Tokarev wrote: > [] > > 2, and this is the main one: How about supplementary groups? > > > > Here I have a valid usage case: a group of testers running various > > versions of windows using KVM (kernel virtual machine), 1 at a time, > > to test some software. kvm is set up to use bridge with a tap device > > (there should be a way to connect to the machine). Anyone on that group > > has to be able to start/stop the virtual machines. > > > > My first attempt - pretty obvious when I saw -g option of tunctl - is > > to add group ownership for the tun device and add a supplementary group > > to each user (their primary group should be different). But that fails, > > since kernel only checks for egid, not any other group ids. > > > > What's the reasoning to not allow supplementary groups and to only check > > for egid? > > Like this. > > Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> Seems reasonable, applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
--- linux-2.6.28/drivers/net/tun.c.orig 2008-12-25 02:26:37.000000000 +0300 +++ linux-2.6.28/drivers/net/tun.c 2009-02-02 17:33:02.000000000 +0300 @@ -714,7 +714,7 @@ static int tun_set_iff(struct net *net, if (((tun->owner != -1 && current->euid != tun->owner) || (tun->group != -1 && - current->egid != tun->group)) && + !in_egroup_p(tun->group))) && !capable(CAP_NET_ADMIN)) return -EPERM; }