From: Ximin Luo <ximin@dfinity.org>
To: Tim Sedlmeyer <tim@sedlmeyer.org>
Cc: WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: Using WG for transport security in a p2p network
Date: Thu, 5 Apr 2018 12:00:31 -0700 [thread overview]
Message-ID: <CADX+UFhFXPYenUp=p+xUReR0ej4LRb43qZq=FLSfXjaYBgthjg@mail.gmail.com> (raw)
In-Reply-To: <CAK_h9uGko4XWco9UVi2nRj7vMSj3tSKHyPhpPW32fZ5qbb4g3Q@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1616 bytes --]
On Thu, Apr 5, 2018 at 9:06 AM, Tim Sedlmeyer <tim@sedlmeyer.org> wrote:
> On Thu, Apr 5, 2018 at 3:13 AM, Matthias Urlichs <matthias@urlichs.de>
> wrote:
> >
> > Ideally we wouldn't need root
> >
> > If you go the netlink route, you do need one process that has the
> > appropriate privilege, which means root at install time (but not
> runtime).
>
> The process doesn't need full root permissions even at install time.
> Whatever process is going to create and manage
> the interfaces needs the CAP_NET_ADMIN capability.
Thanks, that's good to know. Though CAP_NET_ADMIN is "almost root" (e.g.
see [1]) so it would be more comfortable to not even require that. But I
guess a "next best thing" would be to put minimal logic inside a small
program and give only this program CAP_NET_ADMIN. Possibly wireguard-rs's
`wgrs` has both sufficient and not-too-much functionality that we could
directly `setcap` that, I'll have to look into it in more detail.
Unfortunately `wg-quick` is a shell script which is more annoying to try to
`setcap` on.
Another approach I was thinking of, was to extend wireguard to expose a
SOCKS5-UDP interface, or even simpler just a socket-wrapper API like
Python's `ssl.wrap_socket()`, and not use tunnel interfaces at all. Of
course this would run in userspace, but wireguard-rs already does that so I
hope there would be no "extra" performance penalty. Then one could run QUIC
through this, and I know that some SCTP implementations can run on top of
UDP too. Any further comments on this idea would be much appreciated.
X
[1] https://forums.grsecurity.net/viewtopic.php?f=7&t=2522
[-- Attachment #2: Type: text/html, Size: 2232 bytes --]
next prev parent reply other threads:[~2018-04-05 18:47 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-05 3:22 Ximin Luo
2018-04-05 7:13 ` Matthias Urlichs
2018-04-05 16:06 ` Tim Sedlmeyer
2018-04-05 19:00 ` Ximin Luo [this message]
2018-04-05 18:07 ` Ximin Luo
2018-04-05 19:49 ` Matthias Urlichs
2018-04-14 16:01 ` Bruno Wolff III
2018-04-14 18:33 ` Matthias Urlichs
2018-04-05 15:32 ` Kalin KOZHUHAROV
2018-04-05 18:17 ` Ximin Luo
2018-04-06 17:59 ` Jason A. Donenfeld
2018-04-20 15:20 ` Ximin Luo
2018-04-20 15:44 ` Ximin Luo
2018-04-20 19:27 ` Jason A. Donenfeld
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CADX+UFhFXPYenUp=p+xUReR0ej4LRb43qZq=FLSfXjaYBgthjg@mail.gmail.com' \
--to=ximin@dfinity.org \
--cc=tim@sedlmeyer.org \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).