On 31/01/2023 13:25, Lev Stipakov wrote:
From: Lev Stipakov
WinAPI uses __stdcall calling convention on x86. Wrong
calling convention causes UB, which in this case breaks
dco-win functionality.
Signed-off-by: Lev Stipakov
---
src/openvpn/dco_win.c | 2 +-
1 file changed, 1 insertion(+), 1
The bounding set being empty will overpower the likes of su/sudo
and will make it impossible for any child processes to ever gain
additional privileges again.
This fixes https://github.com/OpenVPN/openvpn/issues/220
Signed-off-by: Timo Rothenpieler
---
src/openvpn/platform.c | 2 +-
1 file
On 23/08/2022 15:42, Timo Rothenpieler wrote:
+run: docker exec ovpn -e DEBIAN_FRONTEND=noninteractive sh -c "apt update
&& apt install -y liblzo2-dev libpam0g-dev liblz4-dev libcap-ng-dev linux-libc-dev
man2html libcmocka-dev python3-docutils build-essential pkgconf lib
The ubuntu-18.04 base image is deprecated and in the process of being phased
out:
https://github.blog/changelog/2022-08-09-github-actions-the-ubuntu-18-04-actions-runner-image-is-being-deprecated-and-will-be-removed-by-12-1-22/
It is already causing build failures during the scheduled periods men
The ubuntu-18.04 base image is deprecated and in the process of being phased
out:
https://github.blog/changelog/2022-08-09-github-actions-the-ubuntu-18-04-actions-runner-image-is-being-deprecated-and-will-be-removed-by-12-1-22/
It is already causing build failures during the scheduled periods men
All the checks in there are only relevant during startup, and
specifically the capability check might cause issues when checking a CCD
config later at runtime.
So move them to their own function and call it only during startup.
---
src/openvpn/dco.c | 9 ++---
src/openvpn/dco.h | 18
In the case of the Microsoft action, this fixes security relevant issues
according to their release notes:
https://github.com/microsoft/setup-msbuild/releases
Unfortunately they don't appear to be following the usual scheme of v1
referring to all v1.x.x, but instead v1 just points to v1.0.0.
Th
On 17/08/2022 15:12, Arne Schwabe wrote:
Hey,
newest and greatest is always nice but could you give a bit more
rationale why we should update? The commit message is unfortunately not
giving any details.
In the case of the Microsoft action, it actually fixes security relevant
issues accordin
---
src/openvpn/dco.c | 26 ++
1 file changed, 26 insertions(+)
diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
index caa4ce32..b7db23f4 100644
--- a/src/openvpn/dco.c
+++ b/src/openvpn/dco.c
@@ -44,6 +44,10 @@
#include "ssl_ncp.h"
#include "tun.h"
+#ifdef HAVE_LIBC
---
.github/workflows/build.yaml | 24
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index c89d3c8c..49b7d6d1 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -13,7
On 15/08/2022 12:29, Gert Doering wrote:
Hi,
On Mon, Aug 15, 2022 at 12:14:23PM +0200, Timo Rothenpieler wrote:
Unfortunately, it seems that our approach to "if SITNL is used, we hard
require that setting CAP_NET_ADMIN succeeds" is too strong for the twisted
ways that people u
if things still work.
I will add this to my DCO server test environment - run one of the
iroute-using instances with "nobody", so it is continuously tested.
[..]
commit 2e359a088226ab1e5ee41fbab27d38d8a8d192ac
Author: Timo Rothenpieler
Date: Sat May 14 12:37:17 2022 +0200
Linux builds need this now in order to retain capabilities when dropping root
privileges.
---
.github/workflows/build.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index b905c0d2..c89d3c8c 100644
--- a/.git
On 14/05/2022 12:37, Timo Rothenpieler wrote:
On Linux, when dropping privileges, interaction with
the network configuration, such as tearing down routes
or ovpn-dco interfaces will fail when --user/--group are
used.
This patch sets the CAP_NET_ADMIN capability, which grants
the needed
when dropping root privileges.
Signed-off-by: Timo Rothenpieler
Reviewed-By: David Sommerseth
---
configure.ac | 19 +++
distro/systemd/openvpn-cli...@.service.in | 2 +-
distro/systemd/openvpn-ser...@.service.in | 2 +-
src/openvpn/init.c
when dropping root privileges.
Signed-off-by: Timo Rothenpieler
Reviewed-By: David Sommerseth
---
configure.ac | 19
distro/systemd/openvpn-cli...@.service.in | 2 +-
distro/systemd/openvpn-ser...@.service.in | 2 +-
src/openvpn/init.c
On 08/04/2022 11:35, Gert Doering wrote:
Hi,
On Thu, Apr 07, 2022 at 08:40:24PM +0200, Timo Rothenpieler wrote:
+else if (res < 0)
+{
+if (res == -3)
+{
+msg(M_NONFATAL, "Following error likely due to missing capability
CAP
when dropping root privileges.
Signed-off-by: Timo Rothenpieler
Reviewed-By: David Sommerseth
---
configure.ac | 19
distro/systemd/openvpn-cli...@.service.in | 2 +-
distro/systemd/openvpn-ser...@.service.in | 2 +-
src/openvpn/init.c
On 06.04.2022 11:52, Antonio Quartulli wrote:
Hi,
On 30/03/2022 22:55, Timo Rothenpieler wrote:
---
Using libcap-ng now
A commit message would be good, but I see that David has already
proposed one.
The latest rebased version of this patch already has that message.
Just seemed silly to re
On 31.03.2022 13:02, Gert Doering wrote:
Hi,
On Thu, Mar 31, 2022 at 12:06:06PM +0200, David Sommerseth wrote:
There is however another related challenge in OpenVPN 2.x, which became
even clearer than be fore with the sitnl implementation we switched over
to on Linux by default with v2.5. When
---
Using libcap-ng now
configure.ac | 19 +
distro/systemd/openvpn-cli...@.service.in | 2 +-
distro/systemd/openvpn-ser...@.service.in | 2 +-
src/openvpn/init.c| 25 ++-
src/openvpn/platform.c| 91 +
---
configure.ac | 18 ++
distro/systemd/openvpn-cli...@.service.in | 2 +-
distro/systemd/openvpn-ser...@.service.in | 2 +-
src/openvpn/init.c| 25 ++-
src/openvpn/platform.c| 79 +++
src/openv
On 30.03.2022 11:11, David Sommerseth wrote:
On 30/03/2022 10:51, David Sommerseth wrote:
On 29/03/2022 21:29, Timo Rothenpieler wrote:
---
This patch sits on top of the current dco branch, and will not apply to
latest master.
It solves the issue of dropping root privileges breaking dco and
On 29.03.2022 21:29, Timo Rothenpieler wrote:
+static bool
+do_keep_caps(bool prepare)
+{
+struct __user_cap_header_struct cap_hdr = { _LINUX_CAPABILITY_VERSION_3 };
+struct __user_cap_data_struct cap_data[_LINUX_CAPABILITY_U32S_3] = {};
+
+if (syscall(SYS_capget, &cap_hdr, cap_
On 29.03.2022 12:48, Gert Doering wrote:
Hi,
On Tue, Mar 29, 2022 at 06:21:37PM +0800, Tony He wrote:
1. Add option "user nobody" to test ovpn-dco.
2. Start openvpn, below is the log. Then we will see tun0 is still
there after openvpn exit. We must use the command "ip link del tunX"
to delete.
---
This patch sits on top of the current dco branch, and will not apply to
latest master.
It solves the issue of dropping root privileges breaking dco and sitnl
due to missing NET_ADMIN capabilities.
configure.ac | 3 ++
src/openvpn/init.c | 22 +-
src/openvpn/platfo
On 29.03.2022 12:21, Tony He wrote:
Hi,
1. Add option "user nobody" to test ovpn-dco.
2. Start openvpn, below is the log. Then we will see tun0 is still
there after openvpn exit. We must use the command "ip link del tunX"
to delete. This is not friendly to end user.
I think the dco only workin
27 matches
Mail list logo
