On Tue, Apr 24, 2018 at 12:03:37PM +0200, Christian Hesse wrote: > The above snippet holds code for both, netlink and iproute2 versions. > > The iproute2 version (that is what is used currently) uses systemd option > "CapabilityBoundingSet" to limit the capabilities to the given set. If > configured openvpn will drop privileges after setup. > > With netlink and my patch on top we go the other way: The process runs (and > is started) with user "openvpn". To grant required privileges we use > systemd option "AmbientCapabilities" and give capabilities to the process. > The process keeps these capabilities, but that's a benefit: The process > survives a reconnect that requires configuration changes and shuts down > cleanly (takes down routes and addresses).
Hello Christian, Thanks for the confirmation, that's what I assumed. > I do not agree that the process is running with root privileges. It has some > extra capabilities, but it can not kill processes, fork away and change > cgroups, etc. > IMHO that is what we want to achieve. I disagree. A process with CAP_DAC_OVERRIDE can read/write _every_ file on the system (man 7 capabilities)! This equals root privileges. Even CAP_NET_ADMIN is very powerful as it allows modifying the firewall which might give access to sensitive services which are normally not exposed. > For this patch I took the current set of capabilities and stripped CAP_SETGID > and CAP_SETUID for the netlink version. Whether or not the other capabilities > are required should be discussed independently. Wondering why we have > CAP_DAC_OVERRIDE in our capability capability set... That looks suspicious > indeed. Even with CAP_DAC_OVERRIDE stripped this change keeps openvpn running with (much) more privileges than before. Is this desirable? Regards Simon -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
