Bug 185023 - [tun] Closing tun<n> interface deconfigures IP address
Summary: [tun] Closing tun<n> interface deconfigures IP address
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: Unspecified
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-12-20 11:20 UTC by jphartmann
Modified: 2018-10-20 08:28 UTC (History)
1 user (show)

See Also:

Attachments
Proposed patch (2.22 KB, patch)
2018-10-20 05:34 UTC, Seth Hoffert 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description jphartmann 2013-12-20 11:20:01 UTC 
When a /dev/tun special file is closed, it loses its assigned IP address.  

Looks like it happens near line 467 of if_tun.c (the close routine), but I am not sure exactly where.

How-To-Repeat: [root@fb91 ~]# ifconfig tun0 up 10.0.0.103  10.0.0.104
[root@fb91 ~]# ifconfig tun0
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        inet6 fe80::7254:d2ff:fe45:e0a0%tun0 prefixlen 64 scopeid 0x5 
        inet 10.0.0.103 --> 10.0.0.104 netmask 0xff000000 
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
[root@fb91 ~]# cat /dev/tun0
^C
[root@fb91 ~]# ifconfig tun0
tun0: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
Comment 1 jphartmann 2013-12-20 11:30:30 UTC 
Perhaps I should describe my application.

I wish to configure a tun device at boot with an IP address and chown the
corresponding /dev/tun file to the userID that will use it running
Hercules.  The other end of the tunnel is an IBM System/360
channel-to-channel adapter.

I would like to be able to restart Hercules without having to issue
commands (or ioctl()s) that require root privileges.

Hercules ships a setuid program, hercifc, to set interface parameters by
ioctl().  I am required to be rid of this trojan horse.

Thanks,

   j.
Comment 2 jphartmann 2014-01-06 12:57:50 UTC 
The error was introduced by
http://www.freebsd.org/cgi/query-pr.cgi?pr=100080
Comment 3 Mark Linimon freebsd_committer freebsd_triage 2014-01-07 02:53:21 UTC 
Responsible Changed
From-To: freebsd-bugs->freebsd-net

Over to maintainer(s).
Comment 4 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 07:59:07 UTC 
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped
Comment 5 Seth Hoffert 2018-10-20 05:34:35 UTC 
Created attachment 198393 [details]
Proposed patch

I took a stab at patching tun to bring it into parity with tap.  In line with tap behavior, it will check for the IFF_LINK0 flag on the interface.  If present, it will persist the IPs and routes even when the device node is closed.

In addition to the use case listed in earlier comments, this makes IP-aliased jail interaction with tun nicer in that processes within the jail (e.g. OpenVPN) can be bounced without having to restart the jail or externally reconfigure IPs/routes on the tun.
Comment 6 jphartmann 2018-10-20 08:28:16 UTC 
Thank you.

The current behaviour actually has a security issue as a non-privileged user can cause reconfiguration, i.e., remove the ip address from the interface.  E.g., (from a linux system where this bug arrived some five years ago):

openvpn --mktun --dev tun4 --user john --group john
ifconfig tun4 up 10.0.0.32/30 pointopoint 10.0.0.33

User john now has escalated privileges with respect to the configuration of tun4, insofar as he can clear the IP address assigned simply by opening and closing the device.