<div dir="ltr">Hi Harald,<div><br></div><div>Generally, NextEPC recommend to start P-GW as non-root. So, before the starting P-GW, TUN device should be setting up properly.</div><div><br></div><div>Perhaps I need to adjust the TUN device permission section of the NextEPC documentation. In fact, in general, most people don't need this doc part. The reason I wrote was because of the docker environment. TUN didn't work properly in docker, so if I installed udev or modified the permission it worked.</div><div><br></div><div>As you suggested, I'll have to revisit this section and revise the document.</div><div><br></div><div>Thank you for raising this issue.</div><div><br></div><div>Best Regards,</div><div> Sukchan</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Aug 17, 2019 at 10:18 PM Harald Welte <<a href="mailto:laforge@gnumonks.org">laforge@gnumonks.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Sukchan and friends,<br>
<br>
the installation instructions recommend changing the permissions of /dev/net/tun,<br>
which can be dangerous as it gives permissions to potentially many other processes.<br>
<br>
There are several better alternatives to this:<br>
<br>
1) give CAP_NET_ADMIN permission to the pgw binary:<br>
Simply execute "setcap cap_net_admin=ep /usr/local/bin/nextepc-pgwd"<br>
and then you can run the process as 'nextepc' user, like the other processes.<br>
<br>
The sad part about this is that nextepc-pgwd has now the power to reconfigure<br>
anything about linux netwowrking. The best approach would be to drop those<br>
capabiligies after creating/configuring the tun devices using<br>
prctl(PR_CAPBSET_DROP, CAP_NET_ADMIN) - this way it is ensured that<br>
after start-up, no capabilities survive, and even if somebody manages<br>
to get code execution in the PGW, it is not a privilege escalation.<br>
<br>
2) create the tun devices *before* starting the P-GW, and then start the<br>
PGW as non-root. We offer this method in OsmoGGSN, see Section 8.3<br>
of <a href="http://ftp.osmocom.org/docs/latest/osmoggsn-usermanual.pdf" rel="noreferrer" target="_blank">http://ftp.osmocom.org/docs/latest/osmoggsn-usermanual.pdf</a><br>
This can even be done with systemd now.<br>
<br>
I suggest to first change the documentation to recomend the setcap<br>
approach, and then later to adopt privilege dropping or another<br>
approach.<br>
<br>
Regards,<br>
Harald<br>
-- <br>
- Harald Welte <<a href="mailto:laforge@gnumonks.org" target="_blank">laforge@gnumonks.org</a>> <a href="http://laforge.gnumonks.org/" rel="noreferrer" target="_blank">http://laforge.gnumonks.org/</a><br>
============================================================================<br>
"Privacy in residential applications is a desirable marketing option."<br>
(ETSI EN 300 175-7 Ch. A6)<br>
</blockquote></div>