Hi, On Tue, Aug 16, 2022 at 11:16:50AM +0200, Steffan Karger wrote: > So I'm really not in favour of retaining CAP_NET_ADMIN "just in case". > I would even like to be able to not retain it at all.
I hear what you say, and I support that line of thought.
Alas, with current Linux-DCO, we need this for fiddling all the DCO bits
(keys / key renewal! / peer-id / install/update peers), as this is done
via netlink, and netlink requires CAP_NET_ADMIN.
To get around that we'd need to find a communication channel to
(Linux-)DCO that does not require privileges after initial setup
("hey, DCO, give me a socket that does not need privileges") and
rewrite quite a bit... I'm sure that Antonio will be thrilled by
that new challenge... :-)
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany [email protected]
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
