On 29.03.2022 21:29, Timo Rothenpieler wrote:
+static bool
+do_keep_caps(bool prepare)
+{
+struct __user_cap_header_struct cap_hdr = { _LINUX_CAPABILITY_VERSION_3 };
+struct __user_cap_data_struct cap_data[_LINUX_CAPABILITY_U32S_3] = {};
+
+if (syscall(SYS_capget, &cap_hdr, cap_data)
Hi,
On Tue, Mar 29, 2022 at 06:33:14PM +, Pete Nelson wrote:
> Couldn't the down-root plugin be used? It's biggest drawback for this is
> that it's Linux-only, I suppose.
Yes, you could use down-root (and that's more portable than "DCO", which
is "Linux and FreeBSD only"), but that's not a p
On 29.03.2022 12:48, Gert Doering wrote:
Hi,
On Tue, Mar 29, 2022 at 06:21:37PM +0800, Tony He wrote:
1. Add option "user nobody" to test ovpn-dco.
2. Start openvpn, below is the log. Then we will see tun0 is still
there after openvpn exit. We must use the command "ip link del tunX"
to delete.
---
This patch sits on top of the current dco branch, and will not apply to
latest master.
It solves the issue of dropping root privileges breaking dco and sitnl
due to missing NET_ADMIN capabilities.
configure.ac | 3 ++
src/openvpn/init.c | 22 +-
src/openvpn/platfo
On Tue, Mar 29, 2022 at 10:50 AM Gert Doering wrote:
> On Tue, Mar 29, 2022 at 06:21:37PM +0800, Tony He wrote:
> > 1. Add option "user nobody" to test ovpn-dco.
> > 2. Start openvpn, below is the log. Then we will see tun0 is still
> > there after openvpn exit. We must use the command "ip link d
Your patch has been applied to the master branch.
Thanks :-)
commit 711a4044a095e83bb70f4620310d385d6f5c7282
Author: Michael Baentsch
Date: Tue Mar 29 07:37:09 2022 +0200
Enable usage of TLS groups not identified by a NID in OpenSSL 3
Signed-off-by: Michael Baentsch
Acked-by:
Am 29.03.22 um 12:28 schrieb Gert Doering:
Hi,
On Tue, Mar 29, 2022 at 07:37:09AM +0200, Michael Baentsch wrote:
From: Michael <57787676+baent...@users.noreply.github.com>
OpenSSL3 prefers to specify groups (including EC groups) with names
instead of NID to allow also groups provided by provid
Acked-by: Gert Doering
Thanks for being patient with an old man and rewriting the &name_ok
thing :-) - I like the current code much better.
For the original patch, I am relying on the ACK from Frank. I have
tested the setenv bit (which is new) by feeding openvpn a few --dns
options on the comma
Hi,
On Tue, Mar 29, 2022 at 01:50:33PM +0200, Antonio Quartulli wrote:
> On 29/03/2022 13:05, Gert Doering wrote:
> > @Antonio, we should really investigate that capability stuff :-)
>
> I think this was already discussed somewhere else in the past. To talk
> to the netlink API the NET_ADMIN cap
Hi,
On 29/03/2022 12:48, Gert Doering wrote:
@Antonio: can we make DCO interfaces auto-disappear if the OpenVPN
process closes the last FD?
Originally we did not want to do that because we wanted ovpn-dco to
survive a userspace crash or reload/restart (more likely) without losing
state or cl
Hi,
On 29/03/2022 13:05, Gert Doering wrote:
@Antonio, we should really investigate that capability stuff :-)
I think this was already discussed somewhere else in the past. To talk
to the netlink API the NET_ADMIN capability is required - no need to be
root.
Therefore, just grant this capa
Hi,
On Tue, Mar 29, 2022 at 12:29:14PM +0200, Timo Rothenpieler wrote:
> I think the dco only working if openvpn is running as root is a general
> issue right now.
> Like, clients can't connect either, because it fails to communicate with
> the interface after dropping privileges.
Indeed, on a
Timo Rothenpieler 于2022年3月29日周二 18:45写道:
>
> On 29.03.2022 12:21, Tony He wrote:
> > Hi,
> >
> > 1. Add option "user nobody" to test ovpn-dco.
> > 2. Start openvpn, below is the log. Then we will see tun0 is still
> > there after openvpn exit. We must use the command "ip link del tunX"
> > to dele
Hi,
On Tue, Mar 29, 2022 at 06:21:37PM +0800, Tony He wrote:
> 1. Add option "user nobody" to test ovpn-dco.
> 2. Start openvpn, below is the log. Then we will see tun0 is still
> there after openvpn exit. We must use the command "ip link del tunX"
> to delete. This is not friendly to end user.
Y
On 29.03.2022 12:21, Tony He wrote:
Hi,
1. Add option "user nobody" to test ovpn-dco.
2. Start openvpn, below is the log. Then we will see tun0 is still
there after openvpn exit. We must use the command "ip link del tunX"
to delete. This is not friendly to end user.
I think the dco only workin
Hi,
On Tue, Mar 29, 2022 at 07:37:09AM +0200, Michael Baentsch wrote:
> From: Michael <57787676+baent...@users.noreply.github.com>
>
> OpenSSL3 prefers to specify groups (including EC groups) with names
> instead of NID to allow also groups provided by providers.
> This commit also removes the ma
Am 29.03.22 um 07:37 schrieb Michael Baentsch:
From: Michael <57787676+baent...@users.noreply.github.com>
OpenSSL3 prefers to specify groups (including EC groups) with names
instead of NID to allow also groups provided by providers.
This commit also removes the mapping of secp256r1 to prime256v1
Hi,
1. Add option "user nobody" to test ovpn-dco.
2. Start openvpn, below is the log. Then we will see tun0 is still
there after openvpn exit. We must use the command "ip link del tunX"
to delete. This is not friendly to end user.
root@OpenWrt:/tmp/etc# openvpn test.conf
2022-03-29 18:12:43 Note:
18 matches
Mail list logo
