This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 513379 - /dev/net/tun permissions should not be 0666
/dev/net/tun permissions should not be 0666
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: udev (Show other bugs)
12
All Linux
low Severity medium
: ---
: ---
Assigned To: Harald Hoyer
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-07-23 08:04 EDT by Jan "Yenya" Kasprzak
Modified: 2012-06-22 04:48 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-01-12 10:57:22 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan "Yenya" Kasprzak 2009-07-23 08:04:21 EDT
Description of problem:
/dev/net/tun file has permissions 0666 by default (probably required by OpenVPN).
James Morris in his followup to the CVE-2009-1897 kernel vulnerability suggests
that the file should not be world-writable:

http://blog.namei.org/2009/07/18/a-brief-note-on-the-2630-kernel-null-pointer-vulnerability/

Probably we should add a special group "tun" or "vpn" and make the file 0660 for that group.

Version-Release number of selected component (if applicable):
udev-141-3.fc11.x86_64

How reproducible:


Steps to Reproduce:
1. ls -l /dev/net/tun
  
Actual results:
crw-rw-rw- 1 root root 10, 200 2009-07-07 18:59 /dev/net/tun

Expected results:
crw------- 1 root root 10, 200 2009-07-07 18:59 /dev/net/tun
Comment 1 Jan "Yenya" Kasprzak 2009-11-20 02:47:54 EST
Still present in F12. Are there any plans to fix this?
Comment 2 Doncho N. Gunchev 2009-12-06 10:27:55 EST
This got fixed at some point, I have:

ls -l /dev/net/tun
crw------- 1 root root 10, 200 2009-12-06 17:15 /dev/net/tun
Comment 3 Doncho N. Gunchev 2009-12-06 10:29:06 EST
forgot to mention, udev-145-14.fc12.x86_64.
Comment 4 Martin Cermak 2010-01-12 10:57:22 EST
This appears to be fixed in both RHEL6 and F12, so I'm closing this.
Comment 5 David Woodhouse 2012-06-22 04:48:28 EDT
This isn't a bug, and as far as I can tell it (thankfully) *hasn't* been 'fixed' in Fedora or RHEL.

If you really can reproduce a case where it gets set to 0600, and you haven't done anything special on your system to achieve that, then please re-open bug 196041.

If you want to devise a group-ownership scheme instead and set the permissions to 0660 instead of 0666, that's fine. You'll need to start by adding the relevant group, then patch all the packages in the distribution to ensure that the relevant processes run in that group, and then you can restrict the permissions.

Note You need to log in before you can comment on or make changes to this bug.