On 29.03.2022 12:48, Gert Doering wrote:
Hi,
On Tue, Mar 29, 2022 at 06:21:37PM +0800, Tony He wrote:
1. Add option "user nobody" to test ovpn-dco.
2. Start openvpn, below is the log. Then we will see tun0 is still
there after openvpn exit. We must use the command "ip link del tunX"
to delete. This is not friendly to end user.
Yes. This is currently unsolved - if you tell openvpn to give up its
privileges, it will give up its privileges, and then it lacks privileges
to tear down the interface again.
This should be doable with linux net capabilities, but right now, we
have not investigated this option further. So, for now, do not
use "user" together with DCO.
I just sent a patch ("Retain CAP_NET_ADMIN when dropping privileges")
that solves this for me.
It retains the CAP_NET_ADMIN capability while switching user.
Patch sits on top of the dco branch, since it uses functions from it.
I'm not seeing the patch yet, but my mail server claims it got delivered.
The patch is also on Github, on top of the dco branch in my fork:
https://github.com/BtbN/openvpn/tree/dco
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
