Hi, On 24/04/18 21:08, Simon Ruderich wrote: >> I do not agree that the process is running with root privileges. It has some >> extra capabilities, but it can not kill processes, fork away and change >> cgroups, etc. >> IMHO that is what we want to achieve. > > I disagree. A process with CAP_DAC_OVERRIDE can read/write > _every_ file on the system (man 7 capabilities)! This equals root > privileges. Even CAP_NET_ADMIN is very powerful as it allows > modifying the firewall which might give access to sensitive > services which are normally not exposed. > >> For this patch I took the current set of capabilities and stripped CAP_SETGID >> and CAP_SETUID for the netlink version. Whether or not the other capabilities >> are required should be discussed independently. Wondering why we have >> CAP_DAC_OVERRIDE in our capability capability set... That looks suspicious >> indeed. > > Even with CAP_DAC_OVERRIDE stripped this change keeps openvpn > running with (much) more privileges than before. Is this > desirable?
I think it depends on your perspective. What Christian says is that with this patch: 1) you can start openvpn as non-root directly (impossible right now) 2) you have full support for tunnel reconfiguration even when running as non-root (people willing to achieve this now must start and keep openvpn running as root) I consider both points above steps forward towards a better security model for OpenVPN. OTOH I understand that there are people that don't care about having a working tunnel reconfiguration and are fine with starting openvpn as root (and then dropping privileges). For these people, adding the above capabilities results in giving the openvpn process more power than before. Maybe users willing to adopt this stricter behaviour should have a knob somewhere that will enable the usual run-as-root-and-then-drop-priv-with-no-caps? Generally speaking I believe that openvpn, as a VPN and partly routing daemon, should be allowed to run with CAP_NET_ADMIN set as it enables more features (tunnel reconfiguration to start with). Maybe clients should run with the caps by default while servers should be launched with the original behaviour? Not sure, honestly. Cheers, -- Antonio Quartulli
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
