Opened 3 years ago

Last modified 2 years ago

#914 new Bug / Defect

user flag does not kill root

Reported by: scottb Owned by:
Priority: major Milestone:
Component: Management Version: OpenVPN 2.4.3 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

I'm using 2.4.3 on CentOS 7, with the openvpn-server systemd unit. My config contains user nobody; group nobody. Yet, after initialization, running ps -ef | grep openvpn returns two processes, one owned by nobody and a second owned by root. Unless I'm misunderstanding the user/group flags, the root process should be killed when the nobody threads are created.

Output is here:
nobody 686 1 0 01:42 ? 00:00:00 /usr/sbin/openvpn --status /run/openvpn-server/status-server.log --status-version 2 --suppress-timestamps --config server.conf
root 690 686 0 01:42 ? 00:00:00 /usr/sbin/openvpn --status /run/openvpn-server/status-server.log --status-version 2 --suppress-timestamps --config server.conf

Change History (2)

comment:1 Changed 3 years ago by scottb

To be clear, this was on 2.4.3, but that was not an option in the tracker.

comment:2 Changed 2 years ago by David Sommerseth

Version: 2.4.02.4.3

Can you please provide your sanitized configuration file? This might not be unexpected, but we need to see the configuration file to fully understand what's going on.

For example, the down-root plug-in will fork out a process which will keep root privileges while the main OpenVPN process drops privileges. And when the main process shuts down, it will signal the down-root plug-in and that plug-in will run a script - carrying root privileges. This is often used to clean up changes which requires root privileges.

Note: See TracTickets for help on using tickets.