Re: ssh tunnel tun device forwarding without root

Sun, 12 Apr 2009 07:47:20 -0700 

On Sun, 12 Apr 2009 15:29:57 +0300 Lars Noodin
<[email protected]> wrote:

> Alexander Hall wrote:
> > Lars NoodC)n wrote:
> >>    $ ls -l /dev/tun?
> >>    crw-------  1 root  wheel    40,   0 Apr 11 14:50 /dev/tun0
> >>    crw-rw----  1 root  dialer   40,   1 Apr 11 20:23 /dev/tun1
> >
> > I've been wondering about this too. Although I have not tested this
> > yet...
>
> It works to eliminate the need for logging in as root on the remote
> host.  However local root is still needed, but sudo can manage that.
>
> The only mischief I could think of trying would be to rename the
> device, but that is prevented:
>
>       $ mv /dev/tun1 /dev/tun6
>       mv: rename /dev/tun1 to /dev/tun6: Permission denied
>
> Regards,
> -Lars
>

Since you don't have write access to the /dev directory, the attempted
move fails.

The thing to realize is a device file is really nothing more than a
pointer to a handling routine in the kernel. If you manage to change
what routine said pointer actually points to in the kernel (i.e. Major
and Minor number as displayed by ls), then there's a serious problem
because you're now executing the wrong code in the kernel.


crw--w----   1 jcr   tty         5,   8 Apr 12 05:58:17 2009 ttyp8
crw--w----   1 jcr   tty         5,   9 Apr 12 06:11:30 2009 ttyp9
crw--w----   1 jcr   tty         5,  10 Apr 12 06:14:51 2009 ttypa
crw--w----   1 jcr   tty         5,  11 Apr 12 06:14:51 2009 ttypb
crw--w----   1 jcr   tty         5,  12 Apr 12 06:14:51 2009 ttypc
crw-------   1 jcr   jcr        69,   1 Mar 29 22:20:59 2009 wskbd
crw-------   1 jcr   jcr        67,   0 Mar 29 22:20:59 2009 wskbd0
crw-------   1 jcr   jcr        69,   0 Mar 29 22:20:59 2009 wsmouse
crw-------   1 jcr   jcr        68,   0 Mar 29 22:20:59 2009 wsmouse0

The above shows some pseudo terminals (xterms) I have open, and the
last two (ttypb and ttypc) were opened for this test. I've got read and
write permissions to both of them.

        $ mknod -m 0600 ttypb c 5 12
        ksh: mknod: ttypb: Operation not permitted
        $

I tried to use mknod(8) (the same command used by MAKEDEV) to force the
the ttypb device file point to the same routine in the kernel where the
ttypc device file is pointing. Of course, it didn't work (as expected),
but that's the kind of scary stuff you need to watch out for when you
go mucking around with device files and permissions.

As long as you remember a device file is a pointer to executable code
in kernel space, you'll appropriately fearful and cautious about messing
with them.

--
J.C. Roberts

Reply via email to