Re: [User-mode-linux-user] Requirement for ethertap daemon.

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello!

> >  The ethertap driver requires CAP_NET_ADMIN and ignores the bits on /
> > dev/tap*.   I think Alexey would accept a patch that changes this. 

Ethertap device has just been replaced.

> This patch does it. It looks like it's feasible to do it as non-root with 
> PF_NETLINK sockets, but then it's available to _any_ user, which isn't much 
> better. We need to be able to restrict it to a single user/group.

Netlink is broadcast media. Access control is made per message
and depends on message kind. Any client knows who sent the packet.

netlink_dev is open for removal rather than for improvements.

User/group access to netlink is advertised (though it is _not_ more
fine grain, but rther too coarce from netlink viewpoint, see above),
but certainly not using character device interface.
Using vfs facilities, probably.

Alexey