On Sat, May 14, 2022 at 12:37:17PM +0200, Timo Rothenpieler wrote: > On Linux, when dropping privileges, interaction with > the network configuration, such as tearing down routes > or ovpn-dco interfaces will fail when --user/--group are > used. > > This patch sets the CAP_NET_ADMIN capability, which grants > the needed privileges during the lifetime of the OpenVPN > process when dropping root privileges. > > Signed-off-by: Timo Rothenpieler <t...@rothenpieler.org> > Reviewed-By: David Sommerseth <dav...@openvpn.net> > --- > configure.ac | 19 +++ > distro/systemd/openvpn-cli...@.service.in | 2 +- > distro/systemd/openvpn-ser...@.service.in | 2 +- > src/openvpn/init.c | 5 +- > src/openvpn/platform.c | 146 +++++++++++++++++++++- > src/openvpn/platform.h | 10 +- > 6 files changed, 175 insertions(+), 9 deletions(-)
I ran several t_client test runs with --user nobody on a DCO-enabled system. Without the patch: - errors on teardown in all tests (sitnl) - test 11 fails (which actually uses DCO, since no comp) With the patch: - errors on teardown gone - test 11 passes With the patch and --disable-dco --enable-iproute2: - no cap retained - errors on teardown (ip) Looks to me like it does what it is supposed to do. Acked-By: Frank Lichtenheld <fr...@lichtenheld.com> That said, maybe we should add some hint about this behavior to the actual documentation? Maybe to --user documentation? Or at least Changes? Regards, -- Frank Lichtenheld _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
