Hi, On Thu, Mar 31, 2022 at 04:38:06PM +0200, David Sommerseth wrote: > We could "fix" --down now, but I will not recommend it at all. We could > add the CAP_DAC_OVERRIDE capability. But that's a massive sledge > hammer, giving read/write access to any file on the system. Only > security modules like SELinux, AppArmor and such can block access with > this capability enabled. So this is definitely not the right capability > to have in the main OpenVPN process now.
I agree.
This is not what I was suggesting (not at all), just pointing out that
the combination of --up, --user and --down is not with its own set
of surprises ;-)
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany [email protected]
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
