Hi Sukchan and friends,

the installation instructions recommend changing the permissions of /dev/net/tun,
which can be dangerous as it gives permissions to potentially many other processes.

There are several better alternatives to this:

1) give CAP_NET_ADMIN permission to the pgw binary:
   Simply execute "setcap cap_net_admin=ep /usr/local/bin/nextepc-pgwd"
   and then you can run the process as 'nextepc' user, like the other processes.

   The sad part about this is that nextepc-pgwd has now the power to reconfigure
   anything about linux netwowrking.  The best approach would be to drop those
   capabiligies after creating/configuring the tun devices using
   prctl(PR_CAPBSET_DROP, CAP_NET_ADMIN) - this way it is ensured that
   after start-up, no capabilities survive, and even if somebody manages
   to get code execution in the PGW, it is not a privilege escalation.

2) create the tun devices *before* starting the P-GW, and then start the
   PGW as non-root.  We offer this method in OsmoGGSN, see Section 8.3
   of http://ftp.osmocom.org/docs/latest/osmoggsn-usermanual.pdf
   This can even be done with systemd now.

I suggest to first change the documentation to recomend the setcap
approach, and then later to adopt privilege dropping or another
approach.

Regards,
        Harald
--
- Harald Welte <laforge@gnumonks.org>           http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
                                                  (ETSI EN 300 175-7 Ch. A6)