On 15/08/2022 11:54, Gert Doering wrote:
HI,
On Thu, Aug 11, 2022 at 12:03:45PM +0200, Gert Doering wrote:
I have not tested this myself, but if I had, the test setup would have
been very similar to what Frank did (so, big thanks) - run a DCO
environment with "owner nobody", and see if things still work.
I will add this to my DCO server test environment - run one of the
iroute-using instances with "nobody", so it is continuously tested.
[..]
commit 2e359a088226ab1e5ee41fbab27d38d8a8d192ac
Author: Timo Rothenpieler
Date: Sat May 14 12:37:17 2022 +0200
platform: Retain CAP_NET_ADMIN when dropping privileges
Unfortunately, it seems that our approach to "if SITNL is used, we hard
require that setting CAP_NET_ADMIN succeeds" is too strong for the twisted
ways that people use openvpn.
That's not how the patch operates.
It only hard-requires the capability retention is dco_enabled() returns
true.
In all other cases, it will try to retain capabilities, but continue
with a warning if it fails.
Making the dco_enabled() case a "try but continue" would be a matter of
changing a 1 to a -1. But given that DCO can't really work then, I'm not
sure if that's desirable.
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
