On 29/08/18 21:05, Christian Hesse wrote: > Christian Ehrhardt <christian.ehrha...@canonical.com> on Wed, 2018/08/29 > 16:27: >> It seems a not too uncommon case that learn-address needs to recycle >> dnsmasq - to do so it would need CAP_KILL. >> >> This was suggested on https://community.openvpn.net/openvpn/ticket/918 >> >> Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com> >> --- >> distro/systemd/openvpn-ser...@.service.in | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/distro/systemd/openvpn-ser...@.service.in >> b/distro/systemd/openvpn-ser...@.service.in index d1cc72cb..edace213 100644 >> --- a/distro/systemd/openvpn-ser...@.service.in >> +++ b/distro/systemd/openvpn-ser...@.service.in >> @@ -11,7 +11,7 @@ Type=notify >> PrivateTmp=true >> WorkingDirectory=/etc/openvpn/server >> ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log >> --status-version 2 --suppress-timestamps --config %i.conf >> -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE >> CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE >> CAP_AUDIT_WRITE +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN >> CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT >> CAP_DAC_OVERRIDE CAP_AUDIT_WRITE CAP_KILL LimitNPROC=10 >> DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw > > I do not like services being allowed to send signals to other processes. As > dnsmasq supports a dbus interface... How about using that? For example to > clear the dns cache of an instance started from Networkmanager: > > dbus-send --system --print-reply \ > --dest=org.freedesktop.NetworkManager.dnsmasq /uk/org/thekelleys/dnsmasq \ > uk.org.thekelleys.ClearCache
+1 ... CAP_KILL privileges can too easily prepare the ground for DoS attacks. The D-Bus approach above seems much saner and safer. Also because D-Bus gives a reasonable protection in regards to privilege escalation attacks. But you most likely need to prepare a D-Bus policy for dnsmasq though, to allow the openvpn user (or whatever user who will execute this script) access to the uk.org.thekelleys.ClearCache D-Bus method. -- kind regards, David Sommerseth OpenVPN Inc
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
