Hi, On Mon, Aug 15, 2022 at 11:54:21AM +0200, Gert Doering wrote: > [..] > > commit 2e359a088226ab1e5ee41fbab27d38d8a8d192ac > > Author: Timo Rothenpieler > > Date: Sat May 14 12:37:17 2022 +0200 > > > > platform: Retain CAP_NET_ADMIN when dropping privileges > > Unfortunately, it seems that our approach to "if SITNL is used, we hard > require that setting CAP_NET_ADMIN succeeds" is too strong for the twisted > ways that people use openvpn. > > Namely, network-manager... > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1017379
For the sake of the list archives: *this* particular problem has been
solved by
commit da31c1654c8534658157cfe9c9de5750ee752608
Author: Timo Rothenpieler <t...@rothenpieler.org>
Date: Wed Aug 17 15:18:17 2022 +0200
dco: disable DCO if --user specified but unable to retain capabilities
so if we detect "the caller wants us to go to --user $notroot but we do
not have the necessary capabilities to retain CAP_NET_ADMIN, disable DCO".
This is basically the only thing we can do - if we have no CAP_NET_ADMIN,
DCO will be unable to function today.
Next steps are
- talk to the NM maintainers to get them to call OpenVPN with something
like "CAP_NET_ADMIN and uid != 0" (and no --user config) - so we can
just do our thing, without root privs. David :-)
- figure out if we can do Linux DCO without CAP_NET_ADMIN, at least
"after startup" (open with privs, get a ticket, continue without privs,
something mumble mumble). Antonio :-)
Thanks for all the enlightenment that happened here.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
