Hi, On Mon, Aug 15, 2022 at 12:14:23PM +0200, Timo Rothenpieler wrote: > > Unfortunately, it seems that our approach to "if SITNL is used, we hard > > require that setting CAP_NET_ADMIN succeeds" is too strong for the twisted > > ways that people use openvpn. > > That's not how the patch operates. > It only hard-requires the capability retention is dco_enabled() returns > true. > In all other cases, it will try to retain capabilities, but continue > with a warning if it fails.
Yes, but we do have DCO here, setting CAP_NET_ADMIN fails, and we abort,
instead of having a working client connect.
> Making the dco_enabled() case a "try but continue" would be a matter of
> changing a 1 to a -1. But given that DCO can't really work then, I'm not
> sure if that's desirable.
*DCO* can work fine, from the looks of that bug report (because all
the DCO open happens before capability drop on a --client config).
"Calling ifconfig and installing routes" cannot, but this is exactly what
we are not doing if --ifconfig-noexec + --route-noexec are set.
Please look closely at the log in the bug report, and keep in mind
that NM will do all the "SITNL" stuff for the user in that scenaro,
not OpenVPN itself.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
