Re: [Openvpn-devel] [PATCH applied] Re: dco: disable DCO if --user specified but unable to retain capabilities

Wed, 17 Aug 2022 12:08:49 -0700 

Hi,

On Wed, Aug 17, 2022 at 04:18:39PM +0200, Gert Doering wrote:
> Acked-by: Gert Doering <g...@greenie.muc.de>
> 
> Thanks.  Bernhard has already tested this on his Debian/NM testing 
> environment and confirms it fixes the issues seen in 
> 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1017379
> 
> I've added a bit of explanatory text to the commit message (quite a 
> bit of blurb, actually, but the issue was confusing us enough that
> this might help future readers).
> 
> Your patch has been applied to the master branch.
> 
> commit da31c1654c8534658157cfe9c9de5750ee752608
> Author: Timo Rothenpieler
> Date:   Wed Aug 17 15:18:17 2022 +0200
> 
>      dco: disable DCO if --user specified but unable to retain capabilities

I really hate to say this... but... we seem to be calling this function
for incoming MULTI connects:

I have an UDP p2mp server with "--user nobody + DCO", which starts up 
fine (because it has root and can set CAP_NET_ADMIN), but on incoming
client connects, it goes there *again*, and then fails:

Aug 17 21:00:18 ubuntu2004 tun-udp-p2mp[2167001]: 
freebsd-14-amd64/194.97.140.5:23821 --user specified but lacking CAP_SETPCAP. 
Cannot retain CAP_NET_ADMIN. Disabling data channel offload
Aug 17 21:00:18 ubuntu2004 tun-udp-p2mp[2167001]: 
freebsd-14-amd64/194.97.140.5:23821 MULTI: client has been rejected due to 
incompatible DCO options
Aug 17 21:00:19 ubuntu2004 tun-udp-p2mp[2167001]: 
freebsd-14-amd64/194.97.140.5:23821 PUSH: Received control message: 
'PUSH_REQUEST'
Aug 17 21:00:19 ubuntu2004 tun-udp-p2mp[2167001]: 
freebsd-14-amd64/194.97.140.5:23821 Delayed exit in 5 seconds
Aug 17 21:00:19 ubuntu2004 tun-udp-p2mp[2167001]: 
freebsd-14-amd64/194.97.140.5:23821 SENT CONTROL [freebsd-14-amd64]: 
'AUTH_FAILED' (status=1)


This is hairy mess of checks, double checks, and too many checks...
(a quick fix would be to add "if (getuid() == 0 && o->user && ...)" to
ensure this is only called if we haven't already changed user id, but
it still feels wrong)

Better suggestions where to move "this is something we only care at
startup, not at per-instance config" checks?

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             g...@greenie.muc.de

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel






















					Reply via email to