[Openvpn-devel] [PATCH] Don't clear capability bounding set on capng_change_id

[Timo Rothenpieler]

The bounding set being empty will overpower the likes of su/sudo
and will make it impossible for any child processes to ever gain
additional privileges again.

This fixes https://github.com/OpenVPN/openvpn/issues/220

Signed-off-by: Timo Rothenpieler <t...@rothenpieler.org>
---
 src/openvpn/platform.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/openvpn/platform.c b/src/openvpn/platform.c
index 1b5fa9ad..580c4cb8 100644
--- a/src/openvpn/platform.c
+++ b/src/openvpn/platform.c
@@ -246,7 +246,7 @@ platform_user_group_set(const struct platform_state_user 
*user_state,
     /* Change to new UID/GID.
      * capng_change_id() internally calls capng_apply() to apply prepared 
capabilities.
      */
-    res = capng_change_id(new_uid, new_gid, CAPNG_DROP_SUPP_GRP | 
CAPNG_CLEAR_BOUNDING);
+    res = capng_change_id(new_uid, new_gid, CAPNG_DROP_SUPP_GRP);
     if (res == -4 || res == -6)
     {
         /* -4 and -6 mean failure of setuid/gid respectively.
-- 
2.34.1



_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel