Bug 1223 - tun/tap capability requires root privileges
Summary: tun/tap capability requires root privileges
Status: NEW
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sshd (show other bugs)
Version: -current
Hardware: All All
: P2 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-08-31 01:25 AEST by Jason
Modified: 2007-07-04 10:19 AEST (History)
1 user (show)

See Also:


Attachments
proof-of-concept TUNSETOWNER patch (3.49 KB, patch)
2006-08-31 01:28 AEST, Jason
no flags Details | Diff
patch updated for openssh-4.4_p1 (3.37 KB, patch)
2006-10-09 04:41 AEST, Jason
no flags Details | Diff
upgrade to latest version (3.37 KB, patch)
2007-07-04 10:19 AEST, Jason
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jason 2006-08-31 01:25:51 AEST
I've been testing openssh-4.3_p2 on my gentoo systems for remote layer2 access to my home network.  It works well (haven't tested latency sensitive traffic, eg voip, yet), but only when logging in as root.  

I've created a first draft patch against 4.3_p2 that compiles cleanly on linux, and allows remote users to establish tun/tap vpn as unprivileged users.  This is done via the TUNSETOWNER ioctl().  

This patch is proof of concept only.  It does not add the capability to the other *nixs, has not been tested for security, and needs to be cleaned up.  I'm willing to do that if there is interest in adding this capability to openssh...
Comment 1 Jason 2006-08-31 01:28:13 AEST
Created attachment 1179 [details]
proof-of-concept TUNSETOWNER patch

This patch is the one referenced in the opening comment.
Comment 2 Jason 2006-10-09 04:41:20 AEST
Created attachment 1199 [details]
patch updated for openssh-4.4_p1

Attached patch update for openssh-4.4_p1.  cleaned up #ifdefs by assuming this capability would be desired on other platforms.  Stubbed out (definitely not working) code for other platforms.
Comment 3 Jason 2007-07-04 10:19:29 AEST
Created attachment 1315 [details]
upgrade to latest version

patch upgraded to version 4.6p1.  Compiles cleanly on x86_64 running Gentoo.  Still need some help with the *BSD code.