OpenGGSN requires to run as root for no apparent reason
OpenGGSN currently requires root (or rather CAP_NET_ADMIN) to run. There's no really good/technical reason for that, except for the fact that it currently seems to insist on creating the tun device inside libgtp, as well as setting the IP address/mask of that tun device.
The standard procedure is to have 'ip tunnel' or 'tunctl' create a tun/tap device and "chown" that to a given user/group. The program then simply uses that device without having to create it or modify it's IP address config.
If OpenGGSN could be configured to use such a pre-existing (persistent) tun device, it should be easy to run as non-root / non-CAP_NET_ADMIN.
- set ifr.ifr_name to the name of the pre-existing tun device before caling ioctl(TUNSETIFF) in lib/tun.c
- skip the tun_setaddr()
and then openggsn runs as regular user.
- add a config option to specify the tun device name via config file
- skip calling tun_setaddr in ggsn/ggsn.c if there is no "net" config file line (or similar criteria).
Related tutorial: http://backreference.org/2010/03/26/tuntap-interface-tutorial/
#8 Updated by laforge about 1 month ago
- Status changed from New to Resolved
- Assignee changed from msuraev to laforge
- % Done changed from 0 to 100
This has been implemented in OsmoGGSN (not OpenGGSN) as part of the introduction of a VTY interface.
If there are no "ifconfig" lines in the configuration file, and the tun device already exists at GGSN startup time, then no root privileges are required anymore.