Re: [Openvpn-devel] [PATCH 2/2] systemd: extend CapabilityBoundingSet for learn-address

Wed, 29 Aug 2018 12:07:01 -0700 

Christian Ehrhardt <christian.ehrha...@canonical.com> on Wed, 2018/08/29
16:27:
> It seems a not too uncommon case that learn-address needs to recycle
> dnsmasq - to do so it would need CAP_KILL.
> 
> This was suggested on https://community.openvpn.net/openvpn/ticket/918
> 
> Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com>
> ---
>  distro/systemd/openvpn-ser...@.service.in | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/distro/systemd/openvpn-ser...@.service.in
> b/distro/systemd/openvpn-ser...@.service.in index d1cc72cb..edace213 100644
> --- a/distro/systemd/openvpn-ser...@.service.in
> +++ b/distro/systemd/openvpn-ser...@.service.in
> @@ -11,7 +11,7 @@ Type=notify
>  PrivateTmp=true
>  WorkingDirectory=/etc/openvpn/server
>  ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log
> --status-version 2 --suppress-timestamps --config %i.conf
> -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE
> CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
> CAP_AUDIT_WRITE +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN
> CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
> CAP_DAC_OVERRIDE CAP_AUDIT_WRITE CAP_KILL LimitNPROC=10
> DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw

I do not like services being allowed to send signals to other processes. As
dnsmasq supports a dbus interface... How about using that? For example to
clear the dns cache of an instance started from Networkmanager:

dbus-send --system --print-reply \
--dest=org.freedesktop.NetworkManager.dnsmasq /uk/org/thekelleys/dnsmasq \
uk.org.thekelleys.ClearCache
-- 
main(a){char*c=/*    Schoene Gruesse                         */"B?IJj;MEH"
"CX:;",b;for(a/*    Best regards             my address:    */=0;b=c[a++];)
putchar(b-1/(/*    Chris            cc -ox -xc - && ./x    */b/42*2-3)*42);}

Attachment: pgphSrSEjPWji.pgp
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to