Opened 10 months ago

Last modified 8 months ago

#1335 new Bug / Defect

OpenVPN's man page / documentation sugests to run daemon as user 'nobody' under Linux

Reported by: dirdi Owned by:
Priority: major Milestone:
Component: Documentation Version: OpenVPN 2.4.9 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: nobody privileges daemon
Cc: tct

Description

The man page currently states:

By setting user to nobody or somebody similarly unprivileged,
the hostile party would be limited in what damage they could cause.

This is bad advice and can even lead to security breaches. One should never run a daemon as user 'nobody', but instead create a dedicated user (e.g. 'openvpn') for each daemon. This is because there is no separation between daemons that run under the same user. The user 'nobody' is dedicated to NFS, only.

See also:
https://wiki.ubuntu.com/nobody
https://askubuntu.com/a/674397/993315

Change History (2)

comment:1 Changed 10 months ago by tct

Cc: tct added

comment:2 Changed 8 months ago by Gert Döring

Patches to the (2.5.0 or master) documentation welcome.

Or even textual suggestions here in the ticket how the new text should read.

Note: See TracTickets for help on using tickets.