| Submitter | Michael Tokarev |
|---|---|
| Date | Feb. 2, 2009, 2:44 p.m. |
| Message ID | <498706D2.5070003@msgid.tls.msk.ru> |
| Download | mbox | patch |
| Permalink | /patch/21564/ |
| State | Accepted |
| Delegated to: | David Miller |
| Headers | show |
Comments
From: Michael Tokarev <mjt@tls.msk.ru> Date: Mon, 02 Feb 2009 17:44:34 +0300 > Michael Tokarev wrote: > [] > > 2, and this is the main one: How about supplementary groups? > > > > Here I have a valid usage case: a group of testers running various > > versions of windows using KVM (kernel virtual machine), 1 at a time, > > to test some software. kvm is set up to use bridge with a tap device > > (there should be a way to connect to the machine). Anyone on that group > > has to be able to start/stop the virtual machines. > > > > My first attempt - pretty obvious when I saw -g option of tunctl - is > > to add group ownership for the tun device and add a supplementary group > > to each user (their primary group should be different). But that fails, > > since kernel only checks for egid, not any other group ids. > > > > What's the reasoning to not allow supplementary groups and to only check > > for egid? > > Like this. > > Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> Seems reasonable, applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Patch
--- linux-2.6.28/drivers/net/tun.c.orig 2008-12-25 02:26:37.000000000 +0300 +++ linux-2.6.28/drivers/net/tun.c 2009-02-02 17:33:02.000000000 +0300 @@ -714,7 +714,7 @@ static int tun_set_iff(struct net *net, if (((tun->owner != -1 && current->euid != tun->owner) || (tun->group != -1 && - current->egid != tun->group)) && + !in_egroup_p(tun->group))) && !capable(CAP_NET_ADMIN)) return -EPERM; }