Menu
▾
▴
Re: [Openvpn-users] Permission Error with systemd
|
From: Stefanie L. (Febas)
<ste...@pe...> - 2025-05-15 13:30:56
|
On 5/15/25 14:48, David Sommerseth wrote: > On 15/05/2025 12:04, Stefanie Leisestreichler (Febas) wrote: >> On 5/15/25 11:49, David Sommerseth wrote: >> >>> >>> Try to change the owner of the key file from root to openvpn. >>> >>> The openvpn-server@.service and openvpn-client@.service units has been >>> written to lock down and strip the openvpn process from as many >>> privileges as possible. Unfortunately, the list of needed privileges is >>> still fairly long. >>> >>> >> chown will make it running. >> >> What I do not understand is: As far as I know, openvpn is started with >> root rights to build the context for a running instance. If that is >> true, why can't the key been read during that phase and has to be made >> available for user openvpn (at least with arch)? Or is my assumption/ >> understanding wrong? > > Not when starting via systemd. In this case, when the `User=openvpn` is > set in the service unit file, systemd will drop to that user and set the > requested capabilities before executing the binary in ExecStart=. > > But due to OpenVPN 2.x allowing a lot to happen before it normally drops > privileges, a lot of additional capabilities was needed to grant to it - > otherwise a lot of configurations didn't work as intended. > > So when I get you right user openvpn in combination with systemd has a lot more rights than nobody ever had... |
