git.ipfire.org Git - thirdparty/iproute2.git/commit

author	Maximilian Bosch <maximilian@mbosch.me>
	Tue, 22 Aug 2023 12:33:07 +0000 (14:33 +0200)
committer	Stephen Hemminger <stephen@networkplumber.org>
	Wed, 23 Aug 2023 15:06:30 +0000 (08:06 -0700)
commit	df210e83e0fab40209a71c70cd089fc1d66e275e
tree	7f830f648ec3870bb5cf325429ffea84bdf9525a	tree \| snapshot
parent	92e9915c36b7d4820f004fa74e0d93be99b8272a	commit \| diff

ip-vrf: recommend using CAP_BPF rather than CAP_SYS_ADMIN

The CAP_SYS_ADMIN capability allows far too much, to quote
`capabilities(7)`:

    Note: this capability is overloaded; see Notes to kernel developers, below.

In the case of `ip-vrf(8)` this is needed to load a BPF program.
According to the same section of the same man-page, using `CAP_BPF` is
preferred if that's the reason for `CAP_SYS_ADMIN`;

    perform  the  same BPF operations as are governed by CAP_BPF (but the latter, weaker capability is preferred for accessing
    that functionality).

Local testing revealed that `ip vrf exec` for an unprivileged user is
sufficient if the `CAP_BPF` capability is given rather than
`CAP_SYS_ADMIN`.

In a previous version of the patch[1] it was mentioned that
CAP_SYS_ADMIN was still required for Linux <5.8, however it was
suggested to not make man-pages dependent on the kernel version. Also,
it was suggested to improve the wording and the formatting of the entire
paragraph mentioning capabilities which was also done.

Signed-off-by: Maximilian Bosch <maximilian@mbosch.me>
[1] https://lore.kernel.org/netdev/e6t4ucjdrcitzneh2imygsaxyb2aasxfn2q2a4zh5yqdx3vold@kutwh5kwixva/T/#m628a1900a7e5012bb87e6cb3c94af6c7281cf2bf

Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>

ip/ip.c		diff \| blob \| blame \| history
man/man8/ip-vrf.8		diff \| blob \| blame \| history