Bug#792653: Probably related to CapabilityBoundingSet

Fri, 19 Feb 2016 16:12:59 -0800 

Alberto Gonzalez wrote:

> Hi,

Hi Alberto.
I only just noticed now that you updated this case.
 
> Did you run "systemctl daemon-reload" after changing the .service file? 

Yes, as per my original bug report I tried the following:

        <quote>
        Each time I edited the file, I tried the following commands before
        starting the service:

                systemctl reenable openvpn@.service
                systemctl daemon-reload
                systemctl daemon-reexec
        </quote>

> I'll upload 2.3.10 soon, can you check if it works with it?

I now have the new version of openvpn.
If I re-add the following directives to my configuation with this version, 
openvpn now starts without error:

        user openvpn
        group nogroup
        iproute /usr/local/sbin/openvpn-ip

And a ps listing shows the openvpn processes running as the openvpn user.

With my phone I am able to connect to openvpn okay, but I was unable to browse 
anything with my web browser.
If I remove the directives and restart openvpn and reconnect my phone again 
then browsing works.

So I am now futher than I was before but something else is wrong.

I compared the syslog entries for my connection when running openvpn at the 
root and openvpn users.
I then compared routes.
When running with the root user, an extra route is added when my phone connects.
When running with the openvpn user, there is no extra route added when my phone 
connects.

I edited the /usr/local/sbin/openvpn-ip script so that it looks like this:

        #!/bin/sh
        echo "openvpn-ip script invoked" >> /tmp/openvpn-ip.tmp
        /usr/bin/sudo /sbin/ip $*

Then I connected with the phone while openvpn was running as the openvpn user.
The /tmp/openvpn-ip.tmp file was not created.
So it looks like the following directive in the configuration file is not 
having an effect, or for some reason openvpn is unable to run it:

        iproute /usr/local/sbin/openvpn-ip

The permissions on the file are okay and the openvpn user is able to reach it:

        # sudo -u openvpn ls -l /usr/local/sbin/openvpn-ip 
        -rwxr-xr-x 1 root staff 92 Feb 20 07:32 /usr/local/sbin/openvpn-ip

So perhaps another capability is stopping this file from being run?
I saw no other log messages relating to failure to access or run the 
/usr/local/sbin/openvpn-ip script anywhere.

Regards,
Jim.

Reply via email to