Menu
▾
▴
Re: [Openvpn-users] Permission Error with systemd
|
From: Stefanie L. (Febas)
<ste...@pe...> - 2025-05-15 17:41:44
|
On 5/15/25 16:46, David Sommerseth wrote: > On 15/05/2025 15:30, Stefanie Leisestreichler (Febas) wrote: >> On 5/15/25 14:48, David Sommerseth wrote: > [...snip...] >>> >>> Not when starting via systemd. In this case, when the `User=openvpn` is >>> set in the service unit file, systemd will drop to that user and set the >>> requested capabilities before executing the binary in ExecStart=. >>> >>> But due to OpenVPN 2.x allowing a lot to happen before it normally drops >>> privileges, a lot of additional capabilities was needed to grant to it - >>> otherwise a lot of configurations didn't work as intended. >>> >>> >> So when I get you right user openvpn in combination with systemd has a >> lot more rights than nobody ever had... > > Not quite so. > > When starting OpenVPN without systemd, it must be started as root to > have all the needed privileges. When openvpn has completed the > initialization, it will drop to the user given in openvpn configuration > along with lesser set of capabilities. During this initialization > phase, the openvpn process has full root access and capabilities. > > When starting OpenVPN with systemd, the openvpn process will be started > as the openvpn user with a reduced set of capabilities. The reduced set > of capabilities is still quite comprehensive, but it is still a bit less > than when starting directly as root. > > The difference is basically that starting it via systemd, the openvpn > process and most of the script hooks and plugins will never have the > full root privileges, even in the early stages. After the > initialization phase has completed, the systemd approach will have > basically the same set of capabilities enabled. In the source code, > platform_user_group_set() is the function handling this. > > It should be possible to narrow down the needed capabilities even more > in the systemd case, but that will require some refactoring to detect it > being started more restricted and drop the steps of reducing its > capability set. And it would need some additional helper service for > the script hooks to work well without needing to be re-written as well. > > Thanks for your time and background info. |
