HI,
On Sat, Mar 20, 2021 at 4:57 PM Gert Doering <g...@greenie.muc.de> wrote:
> Hi,
>
> On Sat, Mar 20, 2021 at 12:20:45PM -0400, Selva Nair wrote:
> > We should have probably made this not a FATAL error.
>
> The rules could be twisted a bit ("if uid == 0 then not fatal"), but
> generally speaking, we setrlimit() to avoid running into memory issues
> later on - and if that fails, someone else is imposing restrictions
> on us. So better fail right away than in malloc() later on.
>
With that patch we increased the capability requirements when using
--mlock. mlockall() only requires CAP_IPC_LOCK, it's the added setrlimit()
that needs CAP_SYS_RESOURCE.
So, someone who has carefully set the mlock limit to, say, 50MB based on
their needs, and using an existing systemd unit file will get an
unnecessary error exit.
Anyway let's document the new capability need for using mlock when started
with RLIMIT_MEMLOCK < 100MB. And update the included systemd unit file.
Selva
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
