HI, On Thu, Aug 11, 2022 at 12:03:45PM +0200, Gert Doering wrote: > I have not tested this myself, but if I had, the test setup would have > been very similar to what Frank did (so, big thanks) - run a DCO > environment with "owner nobody", and see if things still work. > > I will add this to my DCO server test environment - run one of the > iroute-using instances with "nobody", so it is continuously tested. [..] > commit 2e359a088226ab1e5ee41fbab27d38d8a8d192ac > Author: Timo Rothenpieler > Date: Sat May 14 12:37:17 2022 +0200 > > platform: Retain CAP_NET_ADMIN when dropping privileges
Unfortunately, it seems that our approach to "if SITNL is used, we hard require that setting CAP_NET_ADMIN succeeds" is too strong for the twisted ways that people use openvpn. Namely, network-manager... https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1017379 ... runs openvpn with --ifconfig-noexec / --route-noexec, and insists on doing all that itself. I do not like NM's way of trying to control everything (up to the point that it defaults to redirecting a default route to OpenVPN even if config and server do not want that), but this is what Linux people seem to be stuck with, so we need to handle it. So I think we need to amend this patch twofold - if --ifconfig-noexec && --route-noexec are set, do not mandate success on CAP_NET_ADMIN (users might want it for using it in --up scripts, but if it fails, *openvpn* is not missing functionality) --> this should take care of the NM case - also, we might want to think long and hard about mandating it if --client (that is, --pull) is in use. We postpone dropping of privileges until after the initial ifconfig/route setup has been done, and on program end, closing tun/dco interface will (I hope) make the interface go away without needing privileges, and the system will remove the routes together with it. --redirect-gateway will break, --redirect-gateway def1 will not. Overlapping vpn routes with vpn gateway (= install a host route) will also be unable to clean up at program end. But this is no worse than 2.5.x with --user nobody. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
