Re: [User-mode-linux-user] Requirement for ethertap daemon.

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

da...@re... said:
>  Looks fine, you'll want to resend this to Alan in a few weeks when he
> starts up 2.2.18 :-) 

ak...@su... said:
>  A nlsocket with opened character devices can still be accessed via
> sockets too, so you just opened a security hole. 

I don't comprehend. The flag is being set only in the struct sock 
which is used by the netlink_dev. It's not being set anywhere else. Only 
operations on that particular socket will bypass the capability check.

Other users can create their own socket, which won't have the same flag
set. How can they access the socket which is being used by the netlink_dev,
without actually going through the permissions check required to open 
/dev/tap$n ?

--
dwmw2