You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 Yesterday 16:42:29
- daggs1
- Member
- Registered: Yesterday
- Posts: 1
accessing dev node as regular user
Greetings,
I have a small test program that opens /dev/net/tun, and runs ioctl(TUNSETIFF) on it as normal user.
at the current stage, this is what I'm getting when I run it as user foo: ioctl(TUNSETIFF): Operation not permitted
the permissions of /dev/net/tun are as follows: crw-rw---- 1 root foo 10, 200 Feb 27 15:52 /dev/net/tun
and the groups of user foo are as follows: uid=1002(foo) gid=1002(foo) groups=1002(foo)
I know that on other distros there is a group named netdev which allows such access however I learned that arch doesn't have.
any ideas how to allow such access for regular user?
Offline
#2 Yesterday 19:09:17
- loqs
- Member
- Registered: 2014-03-06
- Posts: 18,795
Re: accessing dev node as regular user
Have you looked at Udev Allowing regular users to use devices?
Offline
#3 Yesterday 19:31:38
- mmy8x
- Member
- Registered: 2025-03-02
- Posts: 88
Re: accessing dev node as regular user
Your permissions should be enough to open the file, but particular ioctls may have further rules.
It's possible that your executable needs to have some particular "capabilities" (see man capabilities) like CAP_NET_ADMIN, which can be enabled with setcap (run it once as root).
Offline
#4 Yesterday 21:11:16
- loqs
- Member
- Registered: 2014-03-06
- Posts: 18,795
Re: accessing dev node as regular user
`ioctl(TUNSETIFF)` does require CAP_NET_ADMIN. The error from the test program does not appear to be EACCESS returned from the open call failing to open /dev/net/tun rather ioctl(TUNSETIFF) returning EPERM due to missing CAP_SYS_ADMIN and the error message not stating which call has failed.
Edit:
Corrected CAP_SYS_ADMIN to cap_NET_ADMIN.
Last edited by loqs (Yesterday 22:44:41)
Offline
#5 Yesterday 21:50:05
- seth
- Member
- From: Don't DM me only for attention
- Registered: 2012-09-03
- Posts: 73,274
Re: accessing dev node as regular user
`ioctl(TUNSETIFF)` does require CAP_SYS_ADMIN.
Do you have a source for this?
https://www.kernel.org/doc/Documentatio … tuntap.txt suggests CAP_NET_ADMIN is sufficient
https://unix.stackexchange.com/question … ltunsetiff has people tripping over lack of ambient caps
Explicitly searching for "TUNSETIFF" "CAP_SYS_ADMIN" (verbatim) came back rather empty.
Offline
#6 Yesterday 22:43:55
- loqs
- Member
- Registered: 2014-03-06
- Posts: 18,795
Re: accessing dev node as regular user
@seth apologies I meant CAP_NET_ADMIN no idea why I typed CAP_SYS_ADMIN.
Last edited by loqs (Yesterday 22:45:03)
Offline
#7 Yesterday 23:33:09
- dimich
- Member
- From: Kharkiv, Ukraine
- Registered: 2009-11-03
- Posts: 484
Re: accessing dev node as regular user
any ideas how to allow such access for regular user?
You can set CAP_NET_ADMIN capability to the binary executable:
$ sudo setcap cap_net_admin=eip path/to/executableEvery time the binary is modified capability should be set again.
If this executable is accessible by other users, you may want to drop its "group" and "other" executable bits for security reason, allowing to execute it only by particular user.
Another option is to run as root to gain required ambient and inheritable capabilities and drop UID/GID back to regular user:
$ sudo setpriv \
--reuid=$(id -u) \
--regid=$(id -g) \
--init-groups \
--ambient-caps +net_admin \
--inh-caps +net_admin \
/path/to/executableThis is convenient while developing or debugging own program which requires some capabilities. For more convenience you can put this command into a script and allow specific user to run the script with sudo without a password.
Remember, playing with capabilities is always a security risk.
Offline
#8 Today 01:11:34
- loqs
- Member
- Registered: 2014-03-06
- Posts: 18,795
Re: accessing dev node as regular user
Or use a user namespace with net namespace `unshare -Urn /path/to/executable` provided you do not need to talk to the hosts network.
Offline
Pages: 1