Bug #2250
closedOpenGGSN requires to run as root for no apparent reason
100%
Description
OpenGGSN currently requires root (or rather CAP_NET_ADMIN) to run. There's no really good/technical reason for that, except for the fact that it currently seems to insist on creating the tun device inside libgtp, as well as setting the IP address/mask of that tun device.
The standard procedure is to have 'ip tunnel' or 'tunctl' create a tun/tap device and "chown" that to a given user/group. The program then simply uses that device without having to create it or modify it's IP address config.
If OpenGGSN could be configured to use such a pre-existing (persistent) tun device, it should be easy to run as non-root / non-CAP_NET_ADMIN.
Related issues
Updated by laforge almost 7 years ago
- set ifr.ifr_name to the name of the pre-existing tun device before caling ioctl(TUNSETIFF) in lib/tun.c
- skip the tun_setaddr()
and then openggsn runs as regular user.
- add a config option to specify the tun device name via config file
- skip calling tun_setaddr in ggsn/ggsn.c if there is no "net" config file line (or similar criteria).
Updated by laforge almost 7 years ago
- Related to Feature #1850: migrate osmo-gsm-tester from sysmocom internal jenkins to public jenkins added
Updated by neels almost 7 years ago
- Related to Feature #2251: run osmo-gsm-tester in user land added
Updated by laforge over 6 years ago
- Assignee set to msuraev
- Priority changed from Normal to Low
Updated by msuraev over 6 years ago
Related tutorial: http://backreference.org/2010/03/26/tuntap-interface-tutorial/
Updated by msuraev over 6 years ago
laforge wrote:
Quick mock-up/hack shows that it is possible
Is this available on some branch somewhere?
Updated by laforge over 6 years ago
On Fri, Jul 21, 2017 at 02:42:21PM +0000, msuraev [REDMINE] wrote:
Quick mock-up/hack shows that it is possible
Is this available on some branch somewhere?
just pushed as laforge/non-root - it's super trivial.
Updated by laforge over 6 years ago
- Status changed from New to Resolved
- Assignee changed from msuraev to laforge
- % Done changed from 0 to 100
This has been implemented in OsmoGGSN (not OpenGGSN) as part of the introduction of a VTY interface.
If there are no "ifconfig" lines in the configuration file, and the tun device already exists at GGSN startup time, then no root privileges are required anymore.
Updated by laforge about 3 years ago
- Related to Feature #4107: Start systemd services as non-root user added