Hi, On Mon, Mar 06, 2023 at 12:33:46AM -0500, selva.n...@gmail.com wrote: > From: Selva Nair <selva.n...@gmail.com> > > - When management-client-group is in use, allow access if any of > the supplementary groups of the user matches the specified group. > > Currently only the effective gid of the peer socket is checked > which is normally the primary group of user. As unprivileged users > have no easy way of changing the effective gid of a process, > group based access control is of very limited use without this change.
I'm not really convinced this is a good way forward - it's yet another
extra function for a very niche use case, as in "the code has been like
this for 100 years, and nobody has ever used it".
What you do is also not exactly "the user connecting has this gid at the
time of connection" but "the uid reported by getpeerid() has this group
listed in /etc/groups", which will be the same in many cases, but is
still checking something different.
I would propose to extend the documentation with "this only checks the
primary gid at time of connection, if this does not work for your use
case, put the socket into a directory with the right gid and mode 750
and do not use that openvpn option" - as you wrote in the github ticket.
> - Also accept if uid = 0 irrespective of the group.
This part is fine for me, as it follows the traditional unix way of
"root may pass".
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
