This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/nextepc@lists.osmocom.org/.
Harald Welte laforge at gnumonks.orgHi Sukchan and friends, the installation instructions recommend changing the permissions of /dev/net/tun, which can be dangerous as it gives permissions to potentially many other processes. There are several better alternatives to this: 1) give CAP_NET_ADMIN permission to the pgw binary: Simply execute "setcap cap_net_admin=ep /usr/local/bin/nextepc-pgwd" and then you can run the process as 'nextepc' user, like the other processes. The sad part about this is that nextepc-pgwd has now the power to reconfigure anything about linux netwowrking. The best approach would be to drop those capabiligies after creating/configuring the tun devices using prctl(PR_CAPBSET_DROP, CAP_NET_ADMIN) - this way it is ensured that after start-up, no capabilities survive, and even if somebody manages to get code execution in the PGW, it is not a privilege escalation. 2) create the tun devices *before* starting the P-GW, and then start the PGW as non-root. We offer this method in OsmoGGSN, see Section 8.3 of http://ftp.osmocom.org/docs/latest/osmoggsn-usermanual.pdf This can even be done with systemd now. I suggest to first change the documentation to recomend the setcap approach, and then later to adopt privilege dropping or another approach. Regards, Harald -- - Harald Welte <laforge at gnumonks.org> http://laforge.gnumonks.org/ ============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6)