[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] Re: learn-address script executed after downgrade user?

  • Subject: [Openvpn-users] Re: learn-address script executed after downgrade user?
  • From: Charles Duffy <cduffy@xxxxxxxxxxx>
  • Date: Sun, 12 Dec 2004 13:56:13 -0600

Expected behaviour. Dropping root privileges is somewhat less useful if
you actually keep them through execution time (when the learn-address
script is prone to being called). It's possible to write a plugin to fork
off a root process before privileges are dropped which can then be invoked
to call a script later on, but this is inherently dangerous -- you're
passing data from a non-privileged process that's unprivileged
specifically because you're concerned that it could be subverted to a
privileged process that does its dirty work for it -- and you need to be
careful about validating all communications between the two.

That warning given, James already demonstrates how to do the
fork-before-dropping-privileges trick with his down-root plugin.

You could also arrange for some other mechanism for privilege elevation
such as sudo by the openvpn user. (You're using an openvpn user, not
nobody, right? Good). You'll still want to be careful about granting only
the minimum necessary set of rights, validating input, that whole fun bit.

Openvpn-users mailing list