Opened 2 years ago
Closed 4 months ago
#1335 closed Bug / Defect (fixed)
OpenVPN's man page / documentation sugests to run daemon as user 'nobody' under Linux
| Reported by: | dirdi | Owned by: | flichtenheld |
|---|---|---|---|
| Priority: | major | Milestone: | release 2.6 |
| Component: | Documentation | Version: | OpenVPN 2.4.9 (Community Ed) |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | nobody privileges daemon |
| Cc: | tct |
Description
The man page currently states:
By setting user to nobody or somebody similarly unprivileged, the hostile party would be limited in what damage they could cause.
This is bad advice and can even lead to security breaches. One should never run a daemon as user 'nobody', but instead create a dedicated user (e.g. 'openvpn') for each daemon. This is because there is no separation between daemons that run under the same user. The user 'nobody' is dedicated to NFS, only.
See also:
https://wiki.ubuntu.com/nobody
https://askubuntu.com/a/674397/993315
Change History (6)
comment:1 Changed 2 years ago by
| Cc: | tct added |
|---|
comment:2 Changed 2 years ago by
comment:3 Changed 17 months ago by
Old text:
--user user
Change the user ID of the OpenVPN process to user after initialization, dropping privileges in the process. This option is useful to protect the system in the event that some hostile party was able to gain control of an OpenVPN session. Though OpenVPN's security features make this unlikely, it is provided as a second line of defense.
By setting user to nobody or somebody similarly unprivileged, the hostile party would be limited in what damage they could cause. Of course once you take away privileges, you cannot return them to an OpenVPN session. This means, for example, that if you want to reset an OpenVPN daemon with a SIGUSR1 signal (for example in response to a DHCP reset), you should make use of one or more of the --persist options to ensure that OpenVPN doesn't need to execute any privileged operations in order to restart (such as re-reading key files or running ifconfig on the TUN device).
New text:
--- as a second line of defense.
+ It is considered to be more secure to run OpenVPN as a dedicated user, eg: openvpn. This means that the openvpn daemon is separated from other processes which run as user nobody. This user can also be configured with sudo rights for commands such as ip, which OpenVPN may require to configure devices and routing.
--- By setting user to nobody or
comment:4 Changed 4 months ago by
| Owner: | set to flichtenheld |
|---|---|
| Status: | new → accepted |
comment:5 Changed 4 months ago by
| Milestone: | → release 2.6 |
|---|
comment:6 Changed 4 months ago by
| Resolution: | → fixed |
|---|---|
| Status: | accepted → closed |
Patches to the (2.5.0 or master) documentation welcome.
Or even textual suggestions here in the ticket how the new text should read.