Status: "Initialization Sequence Completed"ĬGroup: /usr/sbin/openvpn -status /run/openvpn-server/status-server.log -status-version 2 -suppress-timestamps -config nf The openvpn process is never started with root permissions.Loaded: loaded enabled vendor preset: enabled)Īctive: active (running) since Tue 09:01:19 UTC 4min 39s ago This is more secure than the built-in directives(-user and -group) because Reduces the impact of bugs and expoitable vulnerabilities in OpenVPN, on the Anyone able to edit those scripts will also be able toĪs for running OpenVPN as an unprivileged user - as mentioned above, this The impact of the former is described by man ip, the latter depends Ip command and the up/down scripts specified in the OpenVPN config (if any)Īs root. The unprivileged user supplied to openvpn-unroot will be allowed to run the To be run with sudo by untrusted users, as that would allow them to run What are the security implications of using openvpn-unroot ?Īs for openvpn-unroot itself - it should not be made setuid root, nor allowed Arch users can pass -g network to openvpn-unroot, to avoid this issue. etc/openvpn/client directory is not world-readable, so if any files end upīeing placed there, it will trigger the warning. Readable to them, a warning will be issued. If a file that the chosen unprivileged user needs to be able to read is not Will be changed when version 2.4.1, containing a fix, is released. The persist-tun option is turned off in generated configs, due to a Beyond that, dependencies are minimal and should be metīy any system running OpenVPN (list availableįilenames supplied can't contain whitespace. What are the requirements/assumptions/limitations ?īash >=4.4 is required. Missing, an error will be returned, along with a message specifying what Liking, they can be overridden using the switches described in the help messageĪctions can be skipped entirely (using -no-, or -S option1,option2),įor non-interactive use, the -automagic switch should be dropped and eachĪction should be explicitly specified instead. If any of the choices made automatically are not to the user's INFO: Generating unit file this is acceptable, the -pretend switch can be dropped, to perform all INFO: Generating config file /etc/openvpn/client/nf INFO: Generating netdev file /etc/systemd/network/dev
INFO: Generating up file /etc/openvpn/client/vpnfailsafe-unrooted.sh
INFO: Generating iproute file /etc/openvpn/client/ip-unrooted.sh INFO: Generating sudoers file /etc/sudoers.d/foo-unrooted $ openvpn -apv /etc/openvpn/client/foo.conf Save the openvpn-unroot script somewhere, make it executable and run it as Without the -automagic switch - only the actions explicitly requested are.In this mode any specific settings can still be Without requiring any input from the user, other than an existing OpenVPNĬlient config file. With the -automagic switch - that makes openvpn-unroot "do the needful",.An OpenVPN config, that puts all of the above together.A static tun/tap device and/or a systemd.Sudo wrappers for iproute and up/down scripts.Sudoers entries necessary to call iproute and up/down scripts.Openvpn-unroot can produce any subset of the following: To minimize the impact of bugs and/or vulnerabilities on the system running Openvpn-unroot can infer everything it needs to know, but every aspect of its It is not a wrapper and only needs to be called once per config. Openvpn-unroot is a script, that consumes an existing OpenVPN client configĪnd produces everything necessary to run OpenVPN as an unprivileged The most basic tests pass on Arch,ĭebian Stretch, Fedora Rawhide (development releases chosen due to bash >=4.4
0 kommentar(er)
