Re: [Openvpn-users] --user specified but lacking CAP_SETPCAP

Sun, 29 Oct 2023 15:08:56 -0700 

On 27/10/2023 15:25, Gert Doering wrote:



Systemd doesn't "mess with OpenVPN".


If it takes away capabilities OpenVPN needs, how would you call it, then?

"Sabotage"?

Incorrect setup actually.  Or a bug.  Depending on if the missing 
capabilities is due to a local user's change in the openvpn-{client, 
server}@.service unit files provided by the OpenVPN project or 
distribution packaging, or using some other unit files from elsewhere.


The 2.6 release should contain this for the -client variant:

   CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW \
                         CAP_SETGID CAP_SETUID CAP_SETPCAP      \
                         CAP_SYS_CHROOT CAP_DAC_OVERRIDE


The -server variant is a bit more comprehensive:

   CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN        \
                         CAP_NET_BIND_SERVICE CAP_NET_RAW  \
                         CAP_SETGID CAP_SETUID CAP_SETPCAP \
                         CAP_SYS_CHROOT CAP_DAC_OVERRIDE   \
                         CAP_AUDIT_WRITE


If the list of capabilities here is not what a user having issues have, 
it would be a configuration error on the same level as using --user 
foobar in the config and not having created this user account in 
advance.  It would fail starting up.


Since this was related to the error message below:

  --user specified but lacking CAP_SETPCAP. Cannot retain CAP_NET_ADMIN.
  Disabling data channel offload


This indicates that either the unit file in use is incorrect.  Or that 
there is a bug in the OpenVPN code dropping privileges.  Since I have a 
2.6 server running with DCO on RHEL-8.8, I have a feeling it's an 
incorrect unit file.  How that unit file ended up being wrong is hard 
for me to say.



Runing this command should provide a reasonably readable list of 
capabilities in use in the -server unit file:


  # systemctl cat openvpn-server@.service \
       | grep CapabilityBoundingSet= | tr ' ' '\n'



This can be specified further adding the config file in use in the line 
above; or change -server with -client if it's a client config in play.



--
kind regards,

David Sommerseth
OpenVPN Inc




_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users























					Reply via email to