Opened 2 years ago

Closed 31 hours ago

#1335 closed Bug / Defect (fixed)

OpenVPN's man page / documentation sugests to run daemon as user 'nobody' under Linux

Reported by: dirdi Owned by: flichtenheld
Priority: major Milestone: release 2.6
Component: Documentation Version: OpenVPN 2.4.9 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: nobody privileges daemon
Cc: tct

Description

The man page currently states:

By setting user to nobody or somebody similarly unprivileged,
the hostile party would be limited in what damage they could cause.

This is bad advice and can even lead to security breaches. One should never run a daemon as user 'nobody', but instead create a dedicated user (e.g. 'openvpn') for each daemon. This is because there is no separation between daemons that run under the same user. The user 'nobody' is dedicated to NFS, only.

See also:
https://wiki.ubuntu.com/nobody
https://askubuntu.com/a/674397/993315

Change History (6)

comment:1 Changed 2 years ago by tct

Cc: tct added

comment:2 Changed 2 years ago by Gert Döring

Patches to the (2.5.0 or master) documentation welcome.

Or even textual suggestions here in the ticket how the new text should read.

comment:3 Changed 13 months ago by tct

Old text:

--user user

Change the user ID of the OpenVPN process to user after initialization, dropping privileges in the process. This option is useful to protect the system in the event that some hostile party was able to gain control of an OpenVPN session. Though OpenVPN's security features make this unlikely, it is provided as a second line of defense.

By setting user to nobody or somebody similarly unprivileged, the hostile party would be limited in what damage they could cause. Of course once you take away privileges, you cannot return them to an OpenVPN session. This means, for example, that if you want to reset an OpenVPN daemon with a SIGUSR1 signal (for example in response to a DHCP reset), you should make use of one or more of the --persist options to ensure that OpenVPN doesn't need to execute any privileged operations in order to restart (such as re-reading key files or running ifconfig on the TUN device).

New text:

--- as a second line of defense.

+ It is considered to be more secure to run OpenVPN as a dedicated user, eg: openvpn. This means that the openvpn daemon is separated from other processes which run as user nobody. This user can also be configured with sudo rights for commands such as ip, which OpenVPN may require to configure devices and routing.

--- By setting user to nobody or

comment:4 Changed 3 days ago by flichtenheld

Owner: set to flichtenheld
Status: newaccepted

comment:5 Changed 3 days ago by flichtenheld

Milestone: release 2.6

comment:6 Changed 31 hours ago by flichtenheld

Resolution: fixed
Status: acceptedclosed
Note: See TracTickets for help on using tickets.