9

I use the 'tap' net device with KVM to get my vm connect to the Internet. But I have to be root, or use 'sudo', which is inconvenient. I think I can put my user account into some group so I can access the net device without root privilege. I tried the netdev group, but does not work. My account is already in the kvm group.

What else should I do? Or is there any way to allow me using KVM freely without permission issue?

David S.
  • 5,529
  • 5
  • 30
  • 39

2 Answers2

6

The group is whoever has read and write permissions to /dev/net/tun. The default setup varies from distribution to distribution. The ownership and permissions of devices is set by udev.

Create a file /etc/udev/rules.d/zzz_net_tun.rules containing

KERNEL=="tun", GROUP="netdev", MODE="0660", OPTIONS+="static_node=net/tun"

This will make the device accessible by all users in the netdev group. The setting takes effect when the device is created, so if it already exists, do chgrp netdev /dev/net/tun; chmod 660 /dev/net/tun.

(adapted from the Gentoo Wiki wiki)

Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175
  • I tried the last two commands on my Ubuntu 15.04 box but user space applications still can't seem to access it: "qemu-system-arm: -net tap,ifname=tap0: could not configure /dev/net/tun (tap0): Operation not permitted". I verified that the group is set to `netdev` and permissions set to `0660`. (And I'm in the `netdev` group.) – Nathan Osman Nov 16 '15 at 02:30
  • @NathanOsman What's the output of `groups` and `ls -l /dev/net/tun`? Run `strace -o qemu.strace qemu-system-arm net tap,ifname=tap0 …` and look at the part of the trace where it tries to open `/dev/net/tun`. What's going on exactly? If you can't figure it out, ask a new question with all this information. – Gilles 'SO- stop being evil' Nov 16 '15 at 11:27
  • I finally decided to just ask a new question anyway: http://unix.stackexchange.com/q/243382/1049 I'll still run `strace` and see if I can't get to the bottom of this. – Nathan Osman Nov 16 '15 at 18:42
  • hi! I followed this answer (I'm in the group netdev, I added the udev rule, opened a new shell to make the group effect) but still getting the message "could not open /dev/net/tun: Permission denied". ubuntu 16.04. Any suggestion? Thanks. – Chan Kim Apr 14 '21 at 14:07
  • @ChanKim Opening a shell is not enough. You need to log out and back in. Check with `id` or `groups` that you are in the group as expected. – Gilles 'SO- stop being evil' Apr 14 '21 at 14:43
  • `id` and `groups` show that I'm in group netdev. I tried changing the udev rule file so that tun device belongs to me, or event changing the /dev/net/tun permission to 777 (including /dev/net directory). It's the same for me. Strange.. – Chan Kim Apr 14 '21 at 21:11
0

Make sure you are part of the KVM group also. The recommendantion is to make every virtualization things (network configuration, firmware access, qemu configuration) available for the kvm group.

Breno Leitão
  • 111
  • 3