Hi, On Tue, Mar 29, 2022 at 01:50:33PM +0200, Antonio Quartulli wrote: > On 29/03/2022 13:05, Gert Doering wrote: > > @Antonio, we should really investigate that capability stuff :-) > > I think this was already discussed somewhere else in the past. To talk > to the netlink API the NET_ADMIN capability is required - no need to be > root. > > Therefore, just grant this capability to the binary with: > > setcap cap_net_admin+eip /usr/sbin/openvpn > > and then launch it with any user you want (no need to launch as root and > then drop to user nobody, unless there are other reasons for doing so).
This is indeed nice.
What I was looking for was more the "if we start as root, assign
NET_ADMIN to ourself, and then drop user privs" option.
So, no need to fiddle with system install - which is a bit risky because
that way, anyone on the system can run openvpn with NET_ADMIN privs, not
only those users that have sudo rights.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
