morgan/systemd
1
0
Fork 0
mirror of https://github.com/morgan9e/systemd synced 2026-04-14 00:14:32 +09:00
Code Issues Packages Projects Releases Wiki Activity

network/tuntap: deny non-system users/groups from owning Tun/Tap interfaces

Browse Source 
This is analogous to #36123, but for Tun/Tap interfaces created by
systemd-networkd.

If a regular user account want to control a Tun/Tap interface, then
assign the interface to a system group, e.g., vpn, and add the user
to the group.

Closes #37279.
This commit is contained in:
Yu Watanabe
2025-04-29 23:16:02 +09:00
parent 1fae13fbec
commit 940441b44c
3 changed files with 22 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
man/systemd.netdev.xml
View File

@@ -1970,16 +1970,16 @@ Ports=eth2</programlisting>
</varlistentry>
<varlistentry>
<term><varname>User=</varname></term>
<listitem><para>User to grant access to the
<filename>/dev/net/tun</filename> device.</para>
<listitem><para>User to grant access to the <filename>/dev/net/tun</filename> device. The specified
user must be a system user.</para>
<xi:include href="version-info.xml" xpointer="v215"/>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>Group=</varname></term>
<listitem><para>Group to grant access to the
<filename>/dev/net/tun</filename> device.</para>
<listitem><para>Group to grant access to the <filename>/dev/net/tun</filename> device. The specified
group must be a system group.</para>
<xi:include href="version-info.xml" xpointer="v215"/>
</listitem>