On Fri, 30 May 2008 18:59:26 -0700
ebiederm@xmission.com (Eric W. Biederman) wrote:

Stephen Hemminger [off-list ref] writes:

quoted

Extend the permission check for networking sysctl's to allow
modification when current process has CAP_NET_ADMIN capability and
is not root. This version uses the until now unused permissions hook
to override the mode value for /proc/sys/net if accessed by a user
with capabilities.

Looks reasonable but a little incomplete.

Could you modify register_net_sysctl_table to set this attribute?
Or alternatively all of the tables registered with register_net_sysctl.

Otherwise I this will not affect all of the sysctls under
/proc/sys/net.  Which appears to be your intent.

quoted

Found while working with Quagga. It is impossible to turn forwarding
on/off through the command interface because Quagga uses secure coding
practice of dropping privledges during initialization and only raising
via capabilities when necessary. Since the dameon has reset real/effective
uid after initialization, all attempts to access /proc/sys/net variables
will fail. 

Eric

Unnecessary, it is a property of the root, and there is only one call to register_sysctl_root
in the current code, and that registers the net_sysctl_root structure.