Hi, I just looked more carefully through some issues reported when pushing out the openvpn-2.4.4 release.
----------------------------------------------------------------------
{
"module" : "RpmScripts",
"order" : 90,
"results" : [
{
"arch" : "src",
"code" : "UseraddNoUid",
"context" : {
"excerpt" : [
"useradd -r -g openvpn -s /sbin/nologin -c OpenVPN -d
/etc/openvpn openvpn"
],
"lineno" : 149,
"path" : "openvpn.spec",
"sub" : "%pre"
},
"diag" : "Invocation of <tt>useradd</tt> without specifying a
UID; this may be OK, because /usr/share/doc/setup/uidgid defines no UID for
<var>openvpn</var>"
}
],
"run_time" : 0,
"status" : "completed"
},
----------------------------------------------------------------------
This made me wonder if it would be beneficial to allocate a fixed
UID/GID value for the openvpn user and group account? Is that
advisable? And what would be the process for doing so?
It is highly recommended by upstream to let OpenVPN change uid/gid
to a unprivileged account after the initial setup have completed;
OpenVPN does that in the correct order when applying --user/--group
to the configuration.
And as we are also working towards a brand new Linux client based on
the OpenVPN 3 Core library, that will also run several helper processes
unprivileged; only to have the core tunnel instance starting with root
privileges for tunnel setup. All the session management and user
front-ends will run completely unprivileged.
But if these scenarios are reasonable arguments for having a fixed
uid/gid, I do not currently know. The OpenVPN source code itself
is not tied to any specific uid/gid values. All it uses is the
openvpn user/group name; and currently the openvpn.spec file
calls `useradd` directly as part of the installation process.
--
kind regards,
David Sommerseth
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
