Hi, On Thu, May 15, 2025 at 12:04:46PM +0200, Stefanie Leisestreichler (Febas) wrote: > What I do not understand is: As far as I know, openvpn is started with root > rights to build the context for a running instance. If that is true, why > can't the key been read during that phase and has to be made available for > user openvpn (at least with arch)? Or is my assumption/understanding wrong?
If you run openvpn 2.x as "openvpn --user nobody", it will start as root,
gather what it needs, and then suids to "nobody".
This seems to be about 3.x, which works differently :-) - and SystemD,
which does everything differently again, so in this case the unit files
will do the user change, and openvpn is started with non-root permissions
-> no access to anything root-owned.
Arguably the second one is the more secure way to do things, as there is
no "still running as root" phase - but it brings much more complications
of course ("how can it then manipulate ifconfig/route/dns?").
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
