Red Hat Bugzilla – Bug 513379
/dev/net/tun permissions should not be 0666
Last modified: 2012-06-22 04:48:28 EDT
Description of problem:
/dev/net/tun file has permissions 0666 by default (probably required by OpenVPN).
James Morris in his followup to the CVE-2009-1897 kernel vulnerability suggests
that the file should not be world-writable:
Probably we should add a special group "tun" or "vpn" and make the file 0660 for that group.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. ls -l /dev/net/tun
crw-rw-rw- 1 root root 10, 200 2009-07-07 18:59 /dev/net/tun
crw------- 1 root root 10, 200 2009-07-07 18:59 /dev/net/tun
Still present in F12. Are there any plans to fix this?
This got fixed at some point, I have:
ls -l /dev/net/tun
crw------- 1 root root 10, 200 2009-12-06 17:15 /dev/net/tun
forgot to mention, udev-145-14.fc12.x86_64.
This appears to be fixed in both RHEL6 and F12, so I'm closing this.
This isn't a bug, and as far as I can tell it (thankfully) *hasn't* been 'fixed' in Fedora or RHEL.
If you really can reproduce a case where it gets set to 0600, and you haven't done anything special on your system to achieve that, then please re-open bug 196041.
If you want to devise a group-ownership scheme instead and set the permissions to 0660 instead of 0666, that's fine. You'll need to start by adding the relevant group, then patch all the packages in the distribution to ensure that the relevant processes run in that group, and then you can restrict the permissions.