Re: [Qemu-discuss] Tap Devices

[Mike Lovell]

On 11/28/2012 12:26 PM, Frans de Boer wrote:
> Thanks, I did tried that before and setting the sguid bit did work 
> until the point that the device must be written in the /dev directory, 
> having made the /dev/net/tun node made world RW.
> Another option is to create a new system group, and assign tunctl, 
> ifconfig and ovs-vsctl to that group. Assigning the new group to the 
> /dev directory does not seem to be a good (security) idea but might 
> solve the issue for now.

on my system, running ubuntu 12.04, /dev/net/tun by default had world RW 
permissions. i checked the history of udev and its had 0666 as the 
defaults for several years. i'm somewhat surprised that your system 
doesn't have it that way. as i understand things, it doesn't hurt to 
have it world RW since the tun module does permission checking on the 
ioctl requests used to control it. i could be wrong on that one but 
seeing that its been that way by default makes me think its not a problem.

the permissions shouldn't really matter though since all of the work to 
create the tap device should be handled in the helper program. if the 
helper is running as root, then it should be able to open /dev/net/tun 
and issue requests to it properly. are you using sgid or suid on the 
helper? i've never tried it sgid. what does ls -l on the helper look 
like? it should have a s instead of x for the owner permission and it 
needs to be owned by root. like

-rwsr-xr-x 1 root root 32282 Nov 29 10:29 qemu-bridge-helper

i just ran a vm using the qemu-bridge-helper as shown and running qemu 
as my unprivileged user and without sudo. i even did a chmod 660 
/dev/net/tun first and it still worked.

mike