For now we have: - CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE - helps to call external programs as needed for some setups
The above IMHO does not jeopardize the default config as much as dropping all boundary caps limiting would. - so the change above can be pursued. I was re-reading a few times: I read your comment #26 - especially the last paragraph as "upstream deb package + #1/#2/#3 set" does not trigger the sudo/audit related messages. I think the sudo issues are a consequence of the non-root setup. There is a discussion on it in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=792653 trying very similar changes. The TL;DR is that the default configuration protects the default setup (which is with privileged users) and local overrides can be added if needed. I have not found a good way to help with the other messages yet on top on what was discussed on the referenced Debian bug - i.e. nothing that I'd want to change in packaging. Changing the Caps I'd consider reasonable, I might get in touch with a few others thou to be sure. ** Bug watch added: Debian Bug tracker #792653 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=792653 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1787208 Title: Openvpn routing issue To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1787208/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
