To clarify: setting up interfaces/routes as root is no problem, but I don't want any of the protocol/transport/etc. code running as root.
-
-
Replying to @RichFelker
use setcap, seccomp-bpf and AppArmor/MAC. I don't know of any good public how-to for OpenVPN? I should probably post it...
1 reply 0 retweets 0 likes -
Replying to @dyn___
I think you missed the point; see the whole thread. Giving non-root openvpn caps to let it change net ifs is not what I want.
2 replies 0 retweets 0 likes -
Replying to @RichFelker
are you talking about tun/tap? With what I mentioned you can run the OpenVPN binary without root.
2 replies 0 retweets 0 likes -
Replying to @dyn___ @RichFelker
could also drop any root caps after it adds routes via net_admin? Or wrap it in new userns ?
1 reply 0 retweets 0 likes -
Replying to @dyn___
By the time it does that it's already had complex interaction with untrusted remote while running as root.
2 replies 0 retweets 0 likes -
Replying to @RichFelker
good point, maybe there's a flag to accept nothing from the server?
1 reply 0 retweets 0 likes -
Replying to @dyn___
Using --tls-client instead of --client (i.e. not --pull), but that breaks authentication for no reason (hard-coded to fail).
1 reply 0 retweets 0 likes -
Replying to @RichFelker
it needs a paranoid mode that does the minimum possible and exposes the smallest attack surface -plus seccomp whitelist and NNP.
1 reply 0 retweets 0 likes -
Replying to @dyn___
Well that would be nice too, but just running as its own non-root user covers the biggest risks.
1 reply 0 retweets 1 like
The biggest flaw is a model that treats the server as absolutely-trusted rather than assumed-compromised/malicious.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.