Opened 7 years ago
Last modified 7 years ago
#914 new Bug / Defect
user flag does not kill root
| Reported by: | scottb | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | Management | Version: | OpenVPN 2.4.3 (Community Ed) |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
| Cc: |
Description
I'm using 2.4.3 on CentOS 7, with the openvpn-server systemd unit. My config contains user nobody; group nobody. Yet, after initialization, running ps -ef | grep openvpn returns two processes, one owned by nobody and a second owned by root. Unless I'm misunderstanding the user/group flags, the root process should be killed when the nobody threads are created.
Output is here:
nobody 686 1 0 01:42 ? 00:00:00 /usr/sbin/openvpn --status /run/openvpn-server/status-server.log --status-version 2 --suppress-timestamps --config server.conf
root 690 686 0 01:42 ? 00:00:00 /usr/sbin/openvpn --status /run/openvpn-server/status-server.log --status-version 2 --suppress-timestamps --config server.conf
Change History (2)
comment:1 Changed 7 years ago by
comment:2 Changed 7 years ago by
| Version: | 2.4.0 → 2.4.3 |
|---|
Can you please provide your sanitized configuration file? This might not be unexpected, but we need to see the configuration file to fully understand what's going on.
For example, the down-root plug-in will fork out a process which will keep root privileges while the main OpenVPN process drops privileges. And when the main process shuts down, it will signal the down-root plug-in and that plug-in will run a script - carrying root privileges. This is often used to clean up changes which requires root privileges.
To be clear, this was on 2.4.3, but that was not an option in the tracker.