Bug 513379

Summary: /dev/net/tun permissions should not be 0666
Product: [Fedora] Fedora Reporter: Jan "Yenya" Kasprzak <kas>
Component: udevAssignee: Harald Hoyer <harald>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: dgunchev, dwmw2, harald, jmorris, mcermak
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-01-12 10:57:22 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Jan "Yenya" Kasprzak 2009-07-23 08:04:21 EDT
Description of problem:
/dev/net/tun file has permissions 0666 by default (probably required by OpenVPN).
James Morris in his followup to the CVE-2009-1897 kernel vulnerability suggests
that the file should not be world-writable:


Probably we should add a special group "tun" or "vpn" and make the file 0660 for that group.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. ls -l /dev/net/tun
Actual results:
crw-rw-rw- 1 root root 10, 200 2009-07-07 18:59 /dev/net/tun

Expected results:
crw------- 1 root root 10, 200 2009-07-07 18:59 /dev/net/tun
Comment 1 Jan "Yenya" Kasprzak 2009-11-20 02:47:54 EST
Still present in F12. Are there any plans to fix this?
Comment 2 Doncho N. Gunchev 2009-12-06 10:27:55 EST
This got fixed at some point, I have:

ls -l /dev/net/tun
crw------- 1 root root 10, 200 2009-12-06 17:15 /dev/net/tun
Comment 3 Doncho N. Gunchev 2009-12-06 10:29:06 EST
forgot to mention, udev-145-14.fc12.x86_64.
Comment 4 Martin Cermak 2010-01-12 10:57:22 EST
This appears to be fixed in both RHEL6 and F12, so I'm closing this.
Comment 5 David Woodhouse 2012-06-22 04:48:28 EDT
This isn't a bug, and as far as I can tell it (thankfully) *hasn't* been 'fixed' in Fedora or RHEL.

If you really can reproduce a case where it gets set to 0600, and you haven't done anything special on your system to achieve that, then please re-open bug 196041.

If you want to devise a group-ownership scheme instead and set the permissions to 0660 instead of 0666, that's fine. You'll need to start by adding the relevant group, then patch all the packages in the distribution to ensure that the relevant processes run in that group, and then you can restrict the permissions.