Hello, I haven't followed the netlink conversion in detail, so please tell me if the following was already discussed and I've just missed it.
On Mon, Apr 23, 2018 at 11:28:13AM +0200, Christian Hesse wrote: > if ENABLE_SYSTEMD > +if ENABLE_IPROUTE > +SYSTEMD_USER=root > +SYSTEMD_CAPS_OPTION=CapabilityBoundingSet > +SYSTEMD_CAPS_VALUES=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE > CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE > +else > +SYSTEMD_USER=openvpn > +SYSTEMD_CAPS_OPTION=AmbientCapabilities > +SYSTEMD_CAPS_VALUES=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE > CAP_NET_RAW CAP_SYS_CHROOT CAP_DAC_OVERRIDE Are those capabilities dropped after initialization? If they are not this sounds like a serious issue as the process is basically running as root even if it's using another user (CAP_NET_ADMIN and CAP_DAC_OVERRIDE). Or am I missing something here? Regarding the netlink change in general: From what I understand it means that openvpn will always run with CAP_NET_ADMIN capabilities. Is this correct? If so, this sounds like it requires much more privileges than before for the normal operation (unless I misunderstand the current setup - to my knowledge it only requires a normal user after setup and no further capabilities or privileges once setup/connected). Regards Simon -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel