Re: [Openvpn-devel] [PATCH applied] Re: platform: Retain CAP_NET_ADMIN when dropping privileges

Tue, 16 Aug 2022 02:30:20 -0700 

Hi,

On Mon, Aug 15, 2022 at 11:54:21AM +0200, Gert Doering wrote:
> [..]
> > commit 2e359a088226ab1e5ee41fbab27d38d8a8d192ac
> > Author: Timo Rothenpieler
> > Date:   Sat May 14 12:37:17 2022 +0200
> > 
> >      platform: Retain CAP_NET_ADMIN when dropping privileges
> 
> Unfortunately, it seems that our approach to "if SITNL is used, we hard
> require that setting CAP_NET_ADMIN succeeds" is too strong for the twisted
> ways that people use openvpn.
> 
> Namely, network-manager...
> 
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1017379
> 
> ... runs openvpn with --ifconfig-noexec / --route-noexec, and insists
> on doing all that itself.  I do not like NM's way of trying to control
> everything (up to the point that it defaults to redirecting a default
> route to OpenVPN even if config and server do not want that), but this
> is what Linux people seem to be stuck with, so we need to handle it.

We've discussed this quite a bit in #openvpn-devel, and it's more complicated
than "just ifconfig and route".

Namely, there is more operations OpenVPN needs to do if running with
the DCO kernel module, which all needs CAP_NET_ADMIN

  - renegotiate on TLS session expiry (control channel communication is
    done through kernel module, not directly on socket)
  - install / swap keys
  - reconfigure the kernel peer on reconnect (peer-id / remote IP)

So, running in an environment that prevents use of CAP_NET_ADMIN (how
does it do that, in the first place?) *and* forces a non-root user
means "DCO will break".  Not immediately, but openvpn will abort on
each of these envents - NM might hide that by just restarting it, but
it's still broken.


So the discussion seems to run towards two options

  - disable DCO if CAP_NET_ADMIN can not be retained
  - fix this in NM

Preferably, fix this in NM...

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             g...@greenie.muc.de

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
























					Reply via email to