On 15/05/2025 15:30, Stefanie Leisestreichler (Febas) wrote: > On 5/15/25 14:48, David Sommerseth wrote: [...snip...] >> >> Not when starting via systemd. In this case, when the `User=openvpn` is >> set in the service unit file, systemd will drop to that user and set the >> requested capabilities before executing the binary in ExecStart=. >> >> But due to OpenVPN 2.x allowing a lot to happen before it normally drops >> privileges, a lot of additional capabilities was needed to grant to it - >> otherwise a lot of configurations didn't work as intended. >> >> > So when I get you right user openvpn in combination with systemd has a > lot more rights than nobody ever had...
Not quite so. When starting OpenVPN without systemd, it must be started as root to have all the needed privileges. When openvpn has completed the initialization, it will drop to the user given in openvpn configuration along with lesser set of capabilities. During this initialization phase, the openvpn process has full root access and capabilities. When starting OpenVPN with systemd, the openvpn process will be started as the openvpn user with a reduced set of capabilities. The reduced set of capabilities is still quite comprehensive, but it is still a bit less than when starting directly as root. The difference is basically that starting it via systemd, the openvpn process and most of the script hooks and plugins will never have the full root privileges, even in the early stages. After the initialization phase has completed, the systemd approach will have basically the same set of capabilities enabled. In the source code, platform_user_group_set() is the function handling this. It should be possible to narrow down the needed capabilities even more in the systemd case, but that will require some refactoring to detect it being started more restricted and drop the steps of reducing its capability set. And it would need some additional helper service for the script hooks to work well without needing to be re-written as well. -- kind regards, David Sommerseth OpenVPN Inc _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
