Hi,
On Tue, Apr 24, 2018 at 4:16 PM, Christian Hesse wrote:
> Antonio Quartulli on Tue, 2018/04/24 23:08:
>> OTOH I understand that there are people that don't care about having a
>> working tunnel reconfiguration and are fine with starting openvpn as
>> root (and then dropping privileges).
>>
>
Hi,
On Mon, Apr 23, 2018 at 11:28:13AM +0200, Christian Hesse wrote:
> @@ -1151,6 +1151,14 @@ do_uid_gid_chroot(struct context *c, bool no_delay)
> /* set user and/or group if we want to setuid/setgid */
> if (c0->uid_gid_specified)
> {
> +#ifdef ENABLE_SYSTEMD
> +
Hi,
On Tue, Apr 24, 2018 at 10:16:36PM +0200, Christian Hesse wrote:
> No need to have root involved. Sounds good?
This is not our traditional approach of "give people rope to hang themselves
if they want so". So I'll NAK any patch that *requires* use of systemd,
capabilities and non-root users
Hi,
On Tue, Apr 24, 2018 at 11:08:22PM +0800, Antonio Quartulli wrote:
> Generally speaking I believe that openvpn, as a VPN and partly routing
> daemon, should be allowed to run with CAP_NET_ADMIN set as it enables
> more features (tunnel reconfiguration to start with).
If we go there, we might
Antonio Quartulli on Tue, 2018/04/24 23:08:
> OTOH I understand that there are people that don't care about having a
> working tunnel reconfiguration and are fine with starting openvpn as
> root (and then dropping privileges).
>
> For these people, adding the above capabilities results in giving
Hi,
On 24/04/18 21:08, Simon Ruderich wrote:
>> I do not agree that the process is running with root privileges. It has some
>> extra capabilities, but it can not kill processes, fork away and change
>> cgroups, etc.
>> IMHO that is what we want to achieve.
>
> I disagree. A process with CAP_DAC_
On Tue, Apr 24, 2018 at 12:03:37PM +0200, Christian Hesse wrote:
> The above snippet holds code for both, netlink and iproute2 versions.
>
> The iproute2 version (that is what is used currently) uses systemd option
> "CapabilityBoundingSet" to limit the capabilities to the given set. If
> configure
Simon Ruderich on Tue, 2018/04/24 10:38:
> I haven't followed the netlink conversion in detail, so please
> tell me if the following was already discussed and I've just
> missed it.
No, it has not been discussed and needs a review.
> On Mon, Apr 23, 2018 at 11:28:13AM +0200, Christian Hesse wrot
Hello,
I haven't followed the netlink conversion in detail, so please
tell me if the following was already discussed and I've just
missed it.
On Mon, Apr 23, 2018 at 11:28:13AM +0200, Christian Hesse wrote:
> if ENABLE_SYSTEMD
> +if ENABLE_IPROUTE
> +SYSTEMD_USER=root
> +SYSTEMD_CAPS_OPTION=Capa
From: Christian Hesse
Now that we have a native netlink interface run the process with dedicated
user 'openvpn'. This is possible by granting ambient capabilities, see
systemd.exec(5).
Signed-off-by: Christian Hesse
---
.gitignore| 1 +
configure.ac
10 matches
Mail list logo
