Bug #2250
closed
OpenGGSN requires to run as root for no apparent reason
Added by laforge almost 7 years ago.
Updated over 6 years ago.
Description
OpenGGSN currently requires root (or rather CAP_NET_ADMIN) to run. There's no really good/technical reason for that, except for the fact that it currently seems to insist on creating the tun device inside libgtp, as well as setting the IP address/mask of that tun device.
The standard procedure is to have 'ip tunnel' or 'tunctl' create a tun/tap device and "chown" that to a given user/group. The program then simply uses that device without having to create it or modify it's IP address config.
If OpenGGSN could be configured to use such a pre-existing (persistent) tun device, it should be easy to run as non-root / non-CAP_NET_ADMIN.
Quick mock-up/hack shows that it is possible to
- set ifr.ifr_name to the name of the pre-existing tun device before caling ioctl(TUNSETIFF) in lib/tun.c
- skip the tun_setaddr()
and then openggsn runs as regular user.
So we'd have to
- add a config option to specify the tun device name via config file
- skip calling tun_setaddr in ggsn/ggsn.c if there is no "net" config file line (or similar criteria).
- Related to Feature #1850: migrate osmo-gsm-tester from sysmocom internal jenkins to public jenkins added
- Assignee set to msuraev
- Priority changed from Normal to Low
laforge wrote:
Quick mock-up/hack shows that it is possible
Is this available on some branch somewhere?
On Fri, Jul 21, 2017 at 02:42:21PM +0000, msuraev [REDMINE] wrote:
Quick mock-up/hack shows that it is possible
Is this available on some branch somewhere?
just pushed as laforge/non-root - it's super trivial.
- Status changed from New to Resolved
- Assignee changed from msuraev to laforge
- % Done changed from 0 to 100
This has been implemented in OsmoGGSN (not OpenGGSN) as part of the introduction of a VTY interface.
If there are no "ifconfig" lines in the configuration file, and the tun device already exists at GGSN startup time, then no root privileges are required anymore.
- Status changed from Resolved to Closed
- Related to Feature #4107: Start systemd services as non-root user added
Also available in: Atom
PDF
