Re: [Openvpn-users] Permission Error with systemd

[Gert D. <ge...@gr...>]

Hi,

On Thu, May 15, 2025 at 12:04:46PM +0200, Stefanie Leisestreichler (Febas) wrote:
> What I do not understand is: As far as I know, openvpn is started with root
> rights to build the context for a running instance. If that is true, why
> can't the key been read during that phase and has to be made available for
> user openvpn (at least with arch)? Or is my assumption/understanding wrong?

If you run openvpn 2.x as "openvpn --user nobody", it will start as root, 
gather what it needs, and then suids to "nobody".

This seems to be about 3.x, which works differently :-) - and SystemD,
which does everything differently again, so in this case the unit files
will do the user change, and openvpn is started with non-root permissions
-> no access to anything root-owned.

Arguably the second one is the more secure way to do things, as there is
no "still running as root" phase - but it brings much more complications
of course ("how can it then manipulate ifconfig/route/dns?").

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             ge...@gr...