On Tue, May 8, 2018 at 1:14 PM Luca Boccassi <bl...@debian.org> wrote:
> On Sun, 06 May 2018 01:05:51 +0300 =?utf-8?q?Mantas_Mikul=C4=97nas?= <g > raw...@nullroute.eu.org> wrote: > > Package: iproute2 > > Version: 4.16.0-2 > > Severity: normal > > > > zerotier-one (a mesh-VPN program) calls `ip addr add` as non-root, > but > > with the necessary capabilities present (ambient, inheritable, and > > effective). > > > > However, the latest iproute2 version made `ip` drop all capabilities > > unconditionally (except for `ip vrf exec`), so this no longer works > -- > > ip receives "Operation not permitted" and ZeroTier becomes unable to > > configure its tunnel interface, making the VPN completely unusable. > > Hi, > > Which capabilities does zerotier-one use and need? The solution is > simple if there's no overlap with vrf exec, otherwise it's going to get > hairy. > Well, as a VPN service it requires the ability to create tap interfaces and configure IP addresses & routes – which is why it spawns `ip addr add` in the first place. So I believe that's CAP_NET_ADMIN (and the source code [1] additionally keeps CAP_NET_RAW for some reason). [1]: https://github.com/zerotier/ZeroTierOne/blob/master/one.cpp#L1044-L1110 -- Mantas Mikulėnas
