Re: [Openvpn-devel] [PATCH 1/1] systemd: run openvpn with dedicated user

2018-04-25 Thread Selva Nair
Hi, On Tue, Apr 24, 2018 at 4:16 PM, Christian Hesse wrote: > Antonio Quartulli on Tue, 2018/04/24 23:08: >> OTOH I understand that there are people that don't care about having a >> working tunnel reconfiguration and are fine with starting openvpn as >> root

Re: [Openvpn-devel] [PATCH 1/1] systemd: run openvpn with dedicated user

2018-04-25 Thread Gert Doering
Hi, On Mon, Apr 23, 2018 at 11:28:13AM +0200, Christian Hesse wrote: > @@ -1151,6 +1151,14 @@ do_uid_gid_chroot(struct context *c, bool no_delay) > /* set user and/or group if we want to setuid/setgid */ > if (c0->uid_gid_specified) > { > +#ifdef ENABLE_SYSTEMD > +

Re: [Openvpn-devel] [PATCH 1/1] systemd: run openvpn with dedicated user

2018-04-25 Thread Gert Doering
Hi, On Tue, Apr 24, 2018 at 10:16:36PM +0200, Christian Hesse wrote: > No need to have root involved. Sounds good? This is not our traditional approach of "give people rope to hang themselves if they want so". So I'll NAK any patch that *requires* use of systemd, capabilities and non-root users

Re: [Openvpn-devel] [PATCH 1/1] systemd: run openvpn with dedicated user

2018-04-25 Thread Gert Doering
Hi, On Tue, Apr 24, 2018 at 11:08:22PM +0800, Antonio Quartulli wrote: > Generally speaking I believe that openvpn, as a VPN and partly routing > daemon, should be allowed to run with CAP_NET_ADMIN set as it enables > more features (tunnel reconfiguration to start with). If we go there, we might

Re: [Openvpn-devel] [PATCH 1/1] systemd: run openvpn with dedicated user

2018-04-24 Thread Antonio Quartulli
Hi, On 24/04/18 21:08, Simon Ruderich wrote: >> I do not agree that the process is running with root privileges. It has some >> extra capabilities, but it can not kill processes, fork away and change >> cgroups, etc. >> IMHO that is what we want to achieve. > > I disagree. A process with

Re: [Openvpn-devel] [PATCH 1/1] systemd: run openvpn with dedicated user

2018-04-24 Thread Simon Ruderich
On Tue, Apr 24, 2018 at 12:03:37PM +0200, Christian Hesse wrote: > The above snippet holds code for both, netlink and iproute2 versions. > > The iproute2 version (that is what is used currently) uses systemd option > "CapabilityBoundingSet" to limit the capabilities to the given set. If >

Re: [Openvpn-devel] [PATCH 1/1] systemd: run openvpn with dedicated user

2018-04-24 Thread Christian Hesse
Simon Ruderich on Tue, 2018/04/24 10:38: > I haven't followed the netlink conversion in detail, so please > tell me if the following was already discussed and I've just > missed it. No, it has not been discussed and needs a review. > On Mon, Apr 23, 2018 at 11:28:13AM +0200,

Re: [Openvpn-devel] [PATCH 1/1] systemd: run openvpn with dedicated user

2018-04-24 Thread Simon Ruderich
Hello, I haven't followed the netlink conversion in detail, so please tell me if the following was already discussed and I've just missed it. On Mon, Apr 23, 2018 at 11:28:13AM +0200, Christian Hesse wrote: > if ENABLE_SYSTEMD > +if ENABLE_IPROUTE > +SYSTEMD_USER=root >