https://bugzilla.novell.com/show_bug.cgi?id=765948 https://bugzilla.novell.com/show_bug.cgi?id=765948#c9 Sebastian Krahmer changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|krahmer@suse.com | --- Comment #9 from Sebastian Krahmer 2012-08-20 07:53:43 UTC --- Following the least privilege principle, we should use that option, yes. (We'd need to check that libcapng doesnt potentially contain any horrible holes itself.) If thats not possible to use libcapng, privileges should be dropped ASAP nevertheless, e.g. after opening the tun device if possible; or at least before the send_fd() is called, because evil users might use that to send messages with wrong peer credentials to nscd or similar (bridge helper is sending message as root to any socket on users behalf, so targeted server will see peer.uid==0). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.