sudo in learn-address-script fails to run commands with 2.6-rc

[senfomat]

Describe the bug

As we install user-specific nft-firewall-rules when the user logs into our OpenVPN-service, we need to run nftables-commands via sudo in our learn-address-scripts. When we tried to run 2.6-rc1/rc2 on Ubuntu 22.10 the scripts we used before throws the error sudo: unable to change to root gid: Operation not permitted when calling the nft-binary via sudo.

This mechanism runs on our production-OpenVPN-Servers (currently with 2.5.8 on Ubuntu 20.04 LTS) since years without any problem. The configuration-snippet:

learn-address /path/to/scripts/openVPN-learnAddress
script-security 3

While testing OpenVPN 2.6-rc1/rc2 and the behaviour with the failing sudo occurred on our Testsystem (Ubuntu 22.10, OpenVPN 2.6-rc2), the Linux-Capabilities came to our attention. So I logged, with which capabilities the script is running (using /sbin/capsh --print):

Logsnippet 2.6

Logsnippet OpenVPN 2.6_rc2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]

Jan 14 12:18:50 localhost openvpn[432999]: Current: =
Jan 14 12:18:50 localhost openvpn[432999]: Bounding set =
Jan 14 12:18:50 localhost openvpn[432999]: Ambient set =
Jan 14 12:18:50 localhost openvpn[432999]: Current IAB: !cap_chown,!cap_dac_override,!cap_dac_read_search,!cap_fowner,!cap_fsetid,!cap_kill,!cap_setgid,!cap_setuid,!cap_setpcap,!cap_linux_immutable,!cap_net_bind_service,!cap_net_broadcast,!cap_net_admin,!cap_net_raw,!cap_ipc_lock,!cap_ipc_owner,!cap_sys_module,!cap_sys_rawio,!cap_sys_chroot,!cap_sys_ptrace,!cap_sys_pacct,!cap_sys_admin,!cap_sys_boot,!cap_sys_nice,!cap_sys_resource,!cap_sys_time,!cap_sys_tty_config,!cap_mknod,!cap_lease,!cap_audit_write,!cap_audit_control,!cap_setfcap,!cap_mac_override,!cap_mac_admin,!cap_syslog,!cap_wake_alarm,!cap_block_suspend,!cap_audit_read,!cap_perfmon,!cap_bpf,!cap_checkpoint_restore
Jan 14 12:18:50 localhost openvpn[432999]: Securebits: 00/0x0/1'b0
Jan 14 12:18:50 localhost openvpn[432999]:  secure-noroot: no (unlocked)
Jan 14 12:18:50 localhost openvpn[432999]:  secure-no-suid-fixup: no (unlocked)
Jan 14 12:18:50 localhost openvpn[432999]:  secure-keep-caps: no (unlocked)
Jan 14 12:18:50 localhost openvpn[432999]:  secure-no-ambient-raise: no (unlocked)
Jan 14 12:18:50 localhost openvpn[432999]: uid=996(openvpn) euid=996(openvpn)
Jan 14 12:18:50 localhost openvpn[432999]: gid=996(openvpn)
Jan 14 12:18:50 localhost openvpn[432999]: groups=
Jan 14 12:18:50 localhost openvpn[432999]: Guessed mode: UNCERTAIN (0)

The same system with the same settings, downgraded to OpenVPN 2.5, works:

Logsnippet 2.5

Version: OpenVPN 2.5.8 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD]

Jan 14 13:39:50 localhost openvpn[435304]: Current: =
Jan 14 13:39:50 localhost openvpn[435304]: Bounding set =cap_dac_override,cap_setgid,cap_setuid,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_sys_chroot,cap_audit_write
Jan 14 13:39:50 localhost openvpn[435304]: Ambient set =
Jan 14 13:39:50 localhost openvpn[435304]: Current IAB: !cap_chown,!cap_dac_read_search,!cap_fowner,!cap_fsetid,!cap_kill,!cap_setpcap,!cap_linux_immutable,!cap_net_broadcast,!cap_ipc_owner,!cap_sys_module,!cap_sys_rawio,!cap_sys_ptrace,!cap_sys_pacct,!cap_sys_admin,!cap_sys_boot,!cap_sys_nice,!cap_sys_resource,!cap_sys_time,!cap_sys_tty_config,!cap_mknod,!cap_lease,!cap_audit_control,!cap_setfcap,!cap_mac_override,!cap_mac_admin,!cap_syslog,!cap_wake_alarm,!cap_block_suspend,!cap_audit_read,!cap_perfmon,!cap_bpf,!cap_checkpoint_restore
Jan 14 13:39:50 localhost openvpn[435304]: Securebits: 00/0x0/1'b0
Jan 14 13:39:50 localhost openvpn[435304]:  secure-noroot: no (unlocked)
Jan 14 13:39:50 localhost openvpn[435304]:  secure-no-suid-fixup: no (unlocked)
Jan 14 13:39:50 localhost openvpn[435304]:  secure-keep-caps: no (unlocked)
Jan 14 13:39:50 localhost openvpn[435304]:  secure-no-ambient-raise: no (unlocked)
Jan 14 13:39:50 localhost openvpn[435304]: uid=996(openvpn) euid=996(openvpn)
Jan 14 13:39:50 localhost openvpn[435304]: gid=996(openvpn)
Jan 14 13:39:50 localhost openvpn[435304]: groups=996(openvpn)
Jan 14 13:39:50 localhost openvpn[435304]: Guessed mode: UNCERTAIN (0)

So the difference between these two is the "Bounding set", where setuid/setgid was allowed in 2.5.

Maybe OpenVPN is dropping too much privileges/capabilities in 2.6? Or is this wanted behavior, as this sudo-solution could potentially lead to security-issues? (In the latter case, we would have to rewrite our firewall-setup-phase).

To Reproduce
Run any command via sudo (for becoming another user) in a learn-address-script.

Expected behavior
Run the sudo-commands as called in the learn-address-script.

Version information (please complete the following information):

• OS: Ubuntu 22.10 (kinetic)
• OpenVPN version: OpenVPN 2.6_rc2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]

[dsommers]

The security aspects in OpenVPN 2.6 has been hardened quite a bit further. So we're dropping more privileges by design.

The appropriate way to do this within newer Linux distributions is to make use of polkit (formerly known as PolicyKit). There is a tool here called pkexec which is far better suited to handle privilege escalation from scripts like your use case.

[hildeb]

So I took the extra mile and replaced to "sudo" calls with "/usr/bin/pkexec" and created some nft related policies and rules:

/usr/share/polkit-1/actions/nft.policy:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
 "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
 "http://www.freedesktop.org/software/polkit/policyconfig-1.dtd">

<policyconfig>
  
   <action id="nft">
      <message>none</message>
      <defaults>
         <allow_any>yes</allow_any>
	 <allow_inactive>yes</allow_inactive>
	 <allow_active>yes</allow_active>
      </defaults>
      <annotate key="org.freedesktop.policykit.exec.path">/usr/sbin/nft</annotate>
  </action>
  
</policyconfig>

/etc/polkit-1/rules.d/nft.rules:

polkit.addRule(function(action, subject) {
   if (subject.isInGroup("openvpn")) {
      return polkit.Result.YES;
   }
});

And while this works on the console:

[root@openvpn-gw170] /var/log# su - openvpn
$ /usr/bin/pkexec /usr/sbin/nft -j list map openvpn map_users
{"nftables": [{"metainfo": {"version": "1.0.5", "release_name": "Lester Gooch #4", "json_schema_version": 1}}, {"map": {"family": "ip", "name": "map_users", "table": "openvpn", "type": "ipv4_addr", "handle": 5, "map": "verdict"}}]}
$ 

it's not working inside openvpn itself:

Jan 16 12:53:49 openvpn-gw170 openvpn-udp[1400]: hildeb/10.31.123.139:33977 OPTIONS IMPORT: compression parms modified
Jan 16 12:53:49 openvpn-gw170 openvpn[2847]: Error setting groups: Operation not permitted
Jan 16 12:53:49 openvpn-gw170 openvpn[2846]: Traceback (most recent call last):
Jan 16 12:53:49 openvpn-gw170 openvpn[2846]:   File "/opt/openvpn/scripts/openVPN-learnAddress", line 35, in <module>
Jan 16 12:53:49 openvpn-gw170 openvpn[2846]:     IPinUsermap = checkIPinUsermap(vpnIP)
Jan 16 12:53:49 openvpn-gw170 openvpn[2846]:   File "/opt/openvpn/scripts/openVPN-learnAddress", line 16, in checkIPinUsermap
Jan 16 12:53:49 openvpn-gw170 openvpn[2846]:     rawCheckout = subprocess.check_output(
Jan 16 12:53:49 openvpn-gw170 openvpn[2846]:   File "/usr/lib/python3.10/subprocess.py", line 420, in check_output
Jan 16 12:53:49 openvpn-gw170 openvpn[2846]:     return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
Jan 16 12:53:49 openvpn-gw170 openvpn[2846]:   File "/usr/lib/python3.10/subprocess.py", line 524, in run
Jan 16 12:53:49 openvpn-gw170 openvpn[2846]:     raise CalledProcessError(retcode, process.args,
Jan 16 12:53:49 openvpn-gw170 openvpn[2846]: subprocess.CalledProcessError: Command '['/usr/bin/pkexec', '/usr/sbin/nft', '-j', 'list', 'map', 'openvpn', 'map_users']' returned non-zero exit status 127.
Jan 16 12:53:49 openvpn-gw170 openvpn-udp[1400]: hildeb/10.31.123.139:33977 WARNING: Failed running command (--learn-address): external program exited with error status: 1
Jan 16 12:53:49 openvpn-gw170 openvpn-udp[1400]: hildeb/10.31.123.139:33977 MULTI: Learn FAILED: 172.29.0.2 -> hildeb/10.31.123.139:33977

[hildeb]

For kicks I reverted to 2.5.8 with pkexec in the scripts -- that works flawlessly.
There must be an error in 2.6rc2...

[cron2]

Hi,

On Mon, Jan 16, 2023 at 01:07:25AM -0800, David Sommerseth wrote: The appropriate way to do this within newer Linux distributions is to make use of polkit (formerly known as PolicyKit). There is a tool here called [`pkexec`](https://polkit.pages.freedesktop.org/polkit/pkexec.1.html) which is far better suited to handle privilege escalation from scripts like your use case.

How can pkexec do that if setuid capability is gone? Does it use some sort of dbus daemon-invocation mechanism? gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany ***@***.***

[dsommers]

How can pkexec do that if setuid capability is gone? Does it use some sort of dbus daemon-invocation mechanism?

Yes, @cron2 , it kicks off a new process with more privileges if the polkit policy grants that access. I don't recall now exactly how deeply tied this is to D-Bus itself, but it is a common way to run certain commands with more privileges. That's the theory at least 🙂

[senfomat]

How can pkexec do that if setuid capability is gone? Does it use some sort of dbus daemon-invocation mechanism?

Well, @hildeb and I can now say: pkexec cannot do it; when setuid is gone, pkexec does not work as well for these purpose. (Logline Error setting groups: Operation not permitted in the error of @hildeb above)

As this security-tightening change is breaking things, it should get noted in https://github.com/OpenVPN/openvpn/blob/master/Changes.rst#common-errors-with-openssl-30-and-openvpn-26

[dsommers]

@hildeb Can you try updating your polkit pkexec policy to run a script instead, which dumps a capsh --print output? And run this with 2.5 and 2.6, to see the difference the script runs under.

[hildeb]

With 2.5.8:

Jan 16 14:42:01 openvpn-gw170 openVPN-clientConnect: {"user": "hildeb", "common_name": "hildeb", "platform": "linux", "version": "2.5.5", "gui_version": ""}
Jan 16 14:42:01 openvpn-gw170 openvpn-udp[4990]: hildeb/10.31.123.139:52569 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_4ecad4e3708c18a433883657e6ef1c97.tmp
Jan 16 14:42:01 openvpn-gw170 openvpn-udp[4990]: hildeb/10.31.123.139:52569 OPTIONS IMPORT: compression parms modified
Jan 16 14:42:01 openvpn-gw170 openvpn[6131]: ---- raw caps
Jan 16 14:42:01 openvpn-gw170 openvpn[6131]: Current: =
Jan 16 14:42:01 openvpn-gw170 openvpn[6131]: Bounding set =cap_dac_override,cap_setgid,cap_setuid,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_sys_chroot,cap_audit_write
Jan 16 14:42:01 openvpn-gw170 openvpn[6131]: Ambient set =
Jan 16 14:42:01 openvpn-gw170 openvpn[6131]: Current IAB: !cap_chown,!cap_dac_read_search,!cap_fowner,!cap_fsetid,!cap_kill,!cap_setpcap,!cap_linux_immutable,!cap_net_broadcast,!cap_ipc_owner,!cap_sys_module,!cap_sys_rawio,!cap_sys_ptrace,!cap_sys_pacct,!cap_sys_admin,!cap_sys_boot,!cap_sys_nice,!cap_sys_resource,!cap_sys_time,!cap_sys_tty_config,!cap_mknod,!cap_lease,!cap_audit_control,!cap_setfcap,!cap_mac_override,!cap_mac_admin,!cap_syslog,!cap_wake_alarm,!cap_block_suspend,!cap_audit_read,!cap_perfmon,!cap_bpf,!cap_checkpoint_restore
Jan 16 14:42:01 openvpn-gw170 openvpn[6131]: Securebits: 00/0x0/1'b0
Jan 16 14:42:01 openvpn-gw170 openvpn[6131]:  secure-noroot: no (unlocked)
Jan 16 14:42:01 openvpn-gw170 openvpn[6131]:  secure-no-suid-fixup: no (unlocked)
Jan 16 14:42:01 openvpn-gw170 openvpn[6131]:  secure-keep-caps: no (unlocked)
Jan 16 14:42:01 openvpn-gw170 openvpn[6131]:  secure-no-ambient-raise: no (unlocked)
Jan 16 14:42:01 openvpn-gw170 openvpn[6131]: uid=996(openvpn) euid=996(openvpn)
Jan 16 14:42:01 openvpn-gw170 openvpn[6131]: gid=996(openvpn)
Jan 16 14:42:01 openvpn-gw170 openvpn[6131]: groups=996(openvpn)
Jan 16 14:42:01 openvpn-gw170 openvpn[6131]: Guessed mode: UNCERTAIN (0)
Jan 16 14:42:01 openvpn-gw170 openvpn[6131]: raw caps ----
Jan 16 14:42:01 openvpn-gw170 openvpn[6131]: ---- pkexec caps
Jan 16 14:42:01 openvpn-gw170 openvpn[6131]: Current: cap_dac_override,cap_setgid,cap_setuid,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_sys_chroot,cap_audit_write=ep
Jan 16 14:42:01 openvpn-gw170 openvpn[6131]: Bounding set =cap_dac_override,cap_setgid,cap_setuid,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_sys_chroot,cap_audit_write
Jan 16 14:42:01 openvpn-gw170 openvpn[6131]: Ambient set =
Jan 16 14:42:01 openvpn-gw170 openvpn[6131]: Current IAB: !cap_chown,!cap_dac_read_search,!cap_fowner,!cap_fsetid,!cap_kill,!cap_setpcap,!cap_linux_immutable,!cap_net_broadcast,!cap_ipc_owner,!cap_sys_module,!cap_sys_rawio,!cap_sys_ptrace,!cap_sys_pacct,!cap_sys_admin,!cap_sys_boot,!cap_sys_nice,!cap_sys_resource,!cap_sys_time,!cap_sys_tty_config,!cap_mknod,!cap_lease,!cap_audit_control,!cap_setfcap,!cap_mac_override,!cap_mac_admin,!cap_syslog,!cap_wake_alarm,!cap_block_suspend,!cap_audit_read,!cap_perfmon,!cap_bpf,!cap_checkpoint_restore
Jan 16 14:42:01 openvpn-gw170 openvpn[6131]: Securebits: 00/0x0/1'b0
Jan 16 14:42:01 openvpn-gw170 openvpn[6131]:  secure-noroot: no (unlocked)
Jan 16 14:42:01 openvpn-gw170 openvpn[6131]:  secure-no-suid-fixup: no (unlocked)
Jan 16 14:42:01 openvpn-gw170 openvpn[6131]:  secure-keep-caps: no (unlocked)
Jan 16 14:42:01 openvpn-gw170 openvpn[6131]:  secure-no-ambient-raise: no (unlocked)
Jan 16 14:42:01 openvpn-gw170 openvpn[6131]: uid=0(root) euid=0(root)
Jan 16 14:42:01 openvpn-gw170 openvpn[6131]: gid=0(root)
Jan 16 14:42:01 openvpn-gw170 openvpn[6131]: groups=0(root)
Jan 16 14:42:01 openvpn-gw170 openvpn[6131]: Guessed mode: UNCERTAIN (0)
Jan 16 14:42:01 openvpn-gw170 openvpn[6131]: pkexec caps ----

With 2.6rc2:

Jan 16 14:44:55 openvpn-gw170 openVPN-clientConnect: {"user": "hildeb", "common_name": "hildeb", "platform": "linux", "version": "2.5.5", "gui_version": ""}
Jan 16 14:44:55 openvpn-gw170 openvpn-udp[6516]: hildeb/10.31.123.139:55058 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_4a298cacc6df64d484ded1e704118d9.tmp
Jan 16 14:44:55 openvpn-gw170 openvpn-udp[6516]: hildeb/10.31.123.139:55058 OPTIONS IMPORT: compression parms modified
Jan 16 14:44:55 openvpn-gw170 openvpn[6564]: Error setting groups: Operation not permitted
Jan 16 14:44:55 openvpn-gw170 openvpn[6562]: ---- raw caps
Jan 16 14:44:55 openvpn-gw170 openvpn[6562]: Current: =
Jan 16 14:44:55 openvpn-gw170 openvpn[6562]: Bounding set =
Jan 16 14:44:55 openvpn-gw170 openvpn[6562]: Ambient set =
Jan 16 14:44:55 openvpn-gw170 openvpn[6562]: Current IAB: !cap_chown,!cap_dac_override,!cap_dac_read_search,!cap_fowner,!cap_fsetid,!cap_kill,!cap_setgid,!cap_setuid,!cap_setpcap,!cap_linux_immutable,!cap_net_bind_service,!cap_net_broadcast,!cap_net_admin,!cap_net_raw,!cap_ipc_lock,!cap_ipc_owner,!cap_sys_module,!cap_sys_rawio,!cap_sys_chroot,!cap_sys_ptrace,!cap_sys_pacct,!cap_sys_admin,!cap_sys_boot,!cap_sys_nice,!cap_sys_resource,!cap_sys_time,!cap_sys_tty_config,!cap_mknod,!cap_lease,!cap_audit_write,!cap_audit_control,!cap_setfcap,!cap_mac_override,!cap_mac_admin,!cap_syslog,!cap_wake_alarm,!cap_block_suspend,!cap_audit_read,!cap_perfmon,!cap_bpf,!cap_checkpoint_restore
Jan 16 14:44:55 openvpn-gw170 openvpn[6562]: Securebits: 00/0x0/1'b0
Jan 16 14:44:55 openvpn-gw170 openvpn[6562]:  secure-noroot: no (unlocked)
Jan 16 14:44:55 openvpn-gw170 openvpn[6562]:  secure-no-suid-fixup: no (unlocked)
Jan 16 14:44:55 openvpn-gw170 openvpn[6562]:  secure-keep-caps: no (unlocked)
Jan 16 14:44:55 openvpn-gw170 openvpn[6562]:  secure-no-ambient-raise: no (unlocked)
Jan 16 14:44:55 openvpn-gw170 openvpn[6562]: uid=996(openvpn) euid=996(openvpn)
Jan 16 14:44:55 openvpn-gw170 openvpn[6562]: gid=996(openvpn)
Jan 16 14:44:55 openvpn-gw170 openvpn[6562]: groups=
Jan 16 14:44:55 openvpn-gw170 openvpn[6562]: Guessed mode: UNCERTAIN (0)
Jan 16 14:44:55 openvpn-gw170 openvpn[6562]: raw caps ----
Jan 16 14:44:55 openvpn-gw170 openvpn[6562]: Traceback (most recent call last):
Jan 16 14:44:55 openvpn-gw170 openvpn[6562]:   File "/opt/openvpn/scripts/openVPN-learnAddress", line 38, in <module>
Jan 16 14:44:55 openvpn-gw170 openvpn[6562]:     output = subprocess.check_output(["/usr/bin/pkexec", "/sbin/capsh", "--print"])
Jan 16 14:44:55 openvpn-gw170 openvpn[6562]:   File "/usr/lib/python3.10/subprocess.py", line 420, in check_output
Jan 16 14:44:55 openvpn-gw170 openvpn[6562]:     return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
Jan 16 14:44:55 openvpn-gw170 openvpn[6562]:   File "/usr/lib/python3.10/subprocess.py", line 524, in run
Jan 16 14:44:55 openvpn-gw170 openvpn[6562]:     raise CalledProcessError(retcode, process.args,
Jan 16 14:44:55 openvpn-gw170 openvpn[6562]: subprocess.CalledProcessError: Command '['/usr/bin/pkexec', '/sbin/capsh', '--print']' returned non-zero exit status 127.
Jan 16 14:44:55 openvpn-gw170 openvpn-udp[6516]: hildeb/10.31.123.139:55058 WARNING: Failed running command (--learn-address): external program exited with error status: 1

[hildeb]

Output was generated by:

output = subprocess.check_output(["/sbin/capsh", "--print"])
print("---- raw caps")
print(str(output.decode('utf8')))
print("raw caps ----")

output = subprocess.check_output(["/usr/bin/pkexec", "/sbin/capsh", "--print"])
print("---- pkexec caps")
print(str(output.decode('utf8')))
print("pkexec caps ----")

[dsommers]

I've poked a little bit at the code. I see that the "Bounding set" is empty in OpenVPN 2.6rc2, which I believe is the crux of the issue. That said, it might just need a few more tweaks and not just reverting the capabilities changes (commit 2e359a0).

It will be needed to go deeper into the CAPNG_CLEAR_BOUNDING flag set in platform.c:249 and see if that flag is wrongly used or if there are certain capabilities we need to explicitly add. We need to chose the path which gives the least chance of wrongly increasing the privileges too easily afterwards.

openvpn/src/openvpn/platform.c

Line 249 in 39dd79d

res = capng_change_id(new_uid, new_gid, CAPNG_DROP_SUPP_GRP | CAPNG_CLEAR_BOUNDING);

openvpn/src/openvpn/platform.c

Line 239 in 39dd79d

res = capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_NET_ADMIN);

[BtbN]

From all I understand, just dropping the CAPNG_CLEAR_BOUNDING flag should bring it back to the old behaviour.
I'm not 100% sure if that gives the process more power than it should have, but given it had those powers before already (and my normal shell user has them as well) I don't think that's the case.

[BtbN]

I've pushed a patch that does so to https://github.com/BtbN/openvpn if you want something to grab and build for testing.

[hildeb]

We rebuilt a ubuntu openvpn-rc2 package with this patch applied, and yay, it works... For our metric of what "works" means :) Jan 18 15:18:52 localhost openvpn[49487]: ---- raw caps Jan 18 15:18:52 localhost openvpn[49487]: Current: = Jan 18 15:18:52 localhost openvpn[49487]: Bounding set =cap_dac_override,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_sys_chroot,cap_audit_write Jan 18 15:18:52 localhost openvpn[49487]: Ambient set = Jan 18 15:18:52 localhost openvpn[49487]: Current IAB: !cap_chown,!cap_dac_read_search,!cap_fowner,!cap_fsetid,!cap_kill,!cap_linux_immutable,!cap_net_broadcast,!cap_ipc_owner,!cap_sys_module,!cap_sys_rawio,!cap_sys_ptrace,!cap_sys_pacct,!cap_sys_admin,!cap_sys_boot,!cap_sys_nice,!cap_sys_resource,!cap_sys_time,!cap_sys_tty_config,!cap_mknod,!cap_lease,!cap_audit_control,!cap_setfcap,!cap_mac_override,!cap_mac_admin,!cap_syslog,!cap_wake_alarm,!cap_block_suspend,!cap_audit_read,!cap_perfmon,!cap_bpf,!cap_checkpoint_restore Jan 18 15:18:52 localhost openvpn[49487]: Securebits: 00/0x0/1'b0 Jan 18 15:18:52 localhost openvpn[49487]: secure-noroot: no (unlocked) Jan 18 15:18:52 localhost openvpn[49487]: secure-no-suid-fixup: no (unlocked) Jan 18 15:18:52 localhost openvpn[49487]: secure-keep-caps: no (unlocked) Jan 18 15:18:52 localhost openvpn[49487]: secure-no-ambient-raise: no (unlocked) Jan 18 15:18:52 localhost openvpn[49487]: uid=996(openvpn) euid=996(openvpn) Jan 18 15:18:52 localhost openvpn[49487]: gid=996(openvpn) Jan 18 15:18:52 localhost openvpn[49487]: groups= Jan 18 15:18:52 localhost openvpn[49487]: Guessed mode: UNCERTAIN (0) Jan 18 15:18:52 localhost openvpn[49487]: raw caps ---- and Jan 18 15:18:52 localhost openvpn[49487]: ---- pkexec caps Jan 18 15:18:52 localhost openvpn[49487]: Current: cap_dac_override,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_sys_chroot,cap_audit_write=ep Jan 18 15:18:52 localhost openvpn[49487]: Bounding set =cap_dac_override,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_sys_chroot,cap_audit_write Jan 18 15:18:52 localhost openvpn[49487]: Ambient set = Jan 18 15:18:52 localhost openvpn[49487]: Current IAB: !cap_chown,!cap_dac_read_search,!cap_fowner,!cap_fsetid,!cap_kill,!cap_linux_immutable,!cap_net_broadcast,!cap_ipc_owner,!cap_sys_module,!cap_sys_rawio,!cap_sys_ptrace,!cap_sys_pacct,!cap_sys_admin,!cap_sys_boot,!cap_sys_nice,!cap_sys_resource,!cap_sys_time,!cap_sys_tty_config,!cap_mknod,!cap_lease,!cap_audit_control,!cap_setfcap,!cap_mac_override,!cap_mac_admin,!cap_syslog,!cap_wake_alarm,!cap_block_suspend,!cap_audit_read,!cap_perfmon,!cap_bpf,!cap_checkpoint_restore Jan 18 15:18:52 localhost openvpn[49487]: Securebits: 00/0x0/1'b0 Jan 18 15:18:52 localhost openvpn[49487]: secure-noroot: no (unlocked) Jan 18 15:18:52 localhost openvpn[49487]: secure-no-suid-fixup: no (unlocked) Jan 18 15:18:52 localhost openvpn[49487]: secure-keep-caps: no (unlocked) Jan 18 15:18:52 localhost openvpn[49487]: secure-no-ambient-raise: no (unlocked) Jan 18 15:18:52 localhost openvpn[49487]: uid=0(root) euid=0(root) Jan 18 15:18:52 localhost openvpn[49487]: gid=0(root) Jan 18 15:18:52 localhost openvpn[49487]: groups=0(root) Jan 18 15:18:52 localhost openvpn[49487]: Guessed mode: UNCERTAIN (0) Jan 18 15:18:52 localhost openvpn[49487]: pkexec caps ---- The firewalling scripts are able to perform their duties (again), like back in 2.5.x Am Mi., 18. Jan. 2023 um 14:46 Uhr schrieb BtbN ***@***.***>:

…

I've pushed a patch that does so to https://github.com/BtbN/openvpn if you want something to grab and build for testing. — Reply to this email directly, view it on GitHub <#220 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AASQLWTG5WYRCEWGXWLFKQDWS7X4PANCNFSM6AAAAAAT3IQF3A> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[dsommers]

Great news! Thx for testing @hildeb!