Project

General

Profile

Bug #2250

OpenGGSN requires to run as root for no apparent reason

Added by laforge about 2 months ago. Updated about 2 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
-
Start date:
05/10/2017
Due date:
% Done:

0%

Spec Reference:

Description

OpenGGSN currently requires root (or rather CAP_NET_ADMIN) to run. There's no really good/technical reason for that, except for the fact that it currently seems to insist on creating the tun device inside libgtp, as well as setting the IP address/mask of that tun device.

The standard procedure is to have 'ip tunnel' or 'tunctl' create a tun/tap device and "chown" that to a given user/group. The program then simply uses that device without having to create it or modify it's IP address config.

If OpenGGSN could be configured to use such a pre-existing (persistent) tun device, it should be easy to run as non-root / non-CAP_NET_ADMIN.


Related issues

Related to OsmoGSMTester - Feature #1850: migrate osmo-gsm-tester from sysmocom internal jenkins to public jenkins Resolved 11/18/2016
Related to OsmoGSMTester - Feature #2251: run osmo-gsm-tester in user land Resolved 05/11/2017

History

#1 Updated by laforge about 2 months ago

Quick mock-up/hack shows that it is possible to
  • set ifr.ifr_name to the name of the pre-existing tun device before caling ioctl(TUNSETIFF) in lib/tun.c
  • skip the tun_setaddr()
    and then openggsn runs as regular user.
So we'd have to
  • add a config option to specify the tun device name via config file
  • skip calling tun_setaddr in ggsn/ggsn.c if there is no "net" config file line (or similar criteria).

#2 Updated by laforge about 2 months ago

  • Related to Feature #1850: migrate osmo-gsm-tester from sysmocom internal jenkins to public jenkins added

#3 Updated by neels about 2 months ago

  • Related to Feature #2251: run osmo-gsm-tester in user land added

Also available in: Atom PDF