OpenGGSN requires to run as root for no apparent reason
OpenGGSN currently requires root (or rather CAP_NET_ADMIN) to run. There's no really good/technical reason for that, except for the fact that it currently seems to insist on creating the tun device inside libgtp, as well as setting the IP address/mask of that tun device.
The standard procedure is to have 'ip tunnel' or 'tunctl' create a tun/tap device and "chown" that to a given user/group. The program then simply uses that device without having to create it or modify it's IP address config.
If OpenGGSN could be configured to use such a pre-existing (persistent) tun device, it should be easy to run as non-root / non-CAP_NET_ADMIN.
#1 Updated by laforge about 2 months ago
- set ifr.ifr_name to the name of the pre-existing tun device before caling ioctl(TUNSETIFF) in lib/tun.c
- skip the tun_setaddr()
and then openggsn runs as regular user.
- add a config option to specify the tun device name via config file
- skip calling tun_setaddr in ggsn/ggsn.c if there is no "net" config file line (or similar criteria).