On 31/03/2022 15:26, Gert Doering wrote:
Hi,On Thu, Mar 31, 2022 at 03:20:59PM +0200, David Sommerseth wrote:I've also run a few tests using an --up script which modified /etc/resolv.conf, which also worked as expected with capabilities enabled.This is actually an interesting corner case. As far as I understand, --up runs before setuid, so that should always succeed - but if you do that, cleaning up resolv.conf in --down won't succeed.
That is actually correct, and to be honest I didn't think about the order of when running as client.
We could "fix" --down now, but I will not recommend it at all. We could add the CAP_DAC_OVERRIDE capability. But that's a massive sledge hammer, giving read/write access to any file on the system. Only security modules like SELinux, AppArmor and such can block access with this capability enabled. So this is definitely not the right capability to have in the main OpenVPN process now.
-- kind regards, David Sommerseth OpenVPN Inc
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
