2007-07-09 20:17:38

by Andy Green

[permalink] [raw]

Subject: Permissions down /sys

---

Hi folks -

Is 222 permissions on /sys/class/ieee80211/phy*/add_iface and
remove_iface really okay, or should it perhaps be 220?

--w--w--w- 1 root root 0 2007-07-09 21:11 add_iface
--w--w--w- 1 root root 4096 2007-07-09 21:12 remove_iface

-Andy

2007-07-09 20:58:31

by Michael Büsch

[permalink] [raw]

Subject: Re: Permissions down /sys

---

On Monday 09 July 2007 22:17:35 Andy Green wrote:
> Hi folks -
>
> Is 222 permissions on /sys/class/ieee80211/phy*/add_iface and
> remove_iface really okay, or should it perhaps be 220?
>
> --w--w--w- 1 root root 0 2007-07-09 21:11 add_iface
> --w--w--w- 1 root root 4096 2007-07-09 21:12 remove_iface

IMO the file-permissions are correct, _but_ the following should
be added to _store_remove_iface() and _store_add_iface():

if (!capable(CAP_NET_ADMIN))
return -EPERM;

--
Greetings Michael.

2007-07-10 12:57:31

by Johannes Berg

[permalink] [raw]

Subject: Re: Permissions down /sys

---

On Mon, 2007-07-09 at 22:57 +0200, Michael Buesch wrote:
> On Monday 09 July 2007 22:17:35 Andy Green wrote:
> > Hi folks -
> >
> > Is 222 permissions on /sys/class/ieee80211/phy*/add_iface and
> > remove_iface really okay, or should it perhaps be 220?
> >
> > --w--w--w- 1 root root 0 2007-07-09 21:11 add_iface
> > --w--w--w- 1 root root 4096 2007-07-09 21:12 remove_iface
>
> IMO the file-permissions are correct, _but_ the following should
> be added to _store_remove_iface() and _store_add_iface():
>
> if (!capable(CAP_NET_ADMIN))
> return -EPERM;

Uh huh, yes, of course. Do you have a patch?

johannes

---

Attachments:

signature.asc (190.00 B)
This is a digitally signed message part

2007-07-09 21:03:58

by Andy Green

[permalink] [raw]

Subject: Re: Permissions down /sys

---

Michael Buesch wrote:
> On Monday 09 July 2007 22:17:35 Andy Green wrote:
>> Hi folks -
>>
>> Is 222 permissions on /sys/class/ieee80211/phy*/add_iface and
>> remove_iface really okay, or should it perhaps be 220?
>>
>> --w--w--w- 1 root root 0 2007-07-09 21:11 add_iface
>> --w--w--w- 1 root root 4096 2007-07-09 21:12 remove_iface
>
> IMO the file-permissions are correct, _but_ the following should
> be added to _store_remove_iface() and _store_add_iface():
>
> if (!capable(CAP_NET_ADMIN))
> return -EPERM;
>

Fair enough... one or the other needs doing though because right now you
can delete wlan0 as a mortal user (just tried it... you can't nuke
wmaster0 though) and I guess exhaust the possible max interfaces too. I
made a patch changing the perms to S_IWUSR|S_IWGRP, but your method is
smarter.

-Andy