Opened 12 months ago

Last modified 10 months ago

#918 accepted Bug / Defect

openvpn-server@ systemd unit has insufficient capabilities

Reported by: jdh28 Owned by: David Sommerseth
Priority: major Milestone: release 2.4.4
Component: Installation Version: OpenVPN 2.4.0 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: systemd


The openvpn-server@ systemd unit has a CapabilityBoundingSet? line in it. On Debian 9 (stretch) this is insufficient and the service cannot accept connections when using the auth-pam plugin.

The CAP_AUDIT_WRITE capability needs to be added.

Change History (4)

comment:1 Changed 12 months ago by tincantech


comment:2 Changed 12 months ago by jdh28

The Debian unit also has CAP_DAC_READ_SEARCH, but I did not need that for it to work.

The related Debian bugs are: and

comment:3 Changed 12 months ago by David Sommerseth

Component: PackagingInstallation
Keywords: systemd added
Milestone: release 2.4.4
Owner: set to David Sommerseth
Status: newaccepted

I have not dug into the core details yet, but that auth-pam and the PAM infrastructure requires additional privileges for writing audit information is quite likely. This is now on my todo-list and will submit patches to the ML asap.

comment:4 Changed 10 months ago by mazzanet

Can we consider adding CAP_KILL to the list as well?

Example use case is a kill -HUP to dnsmasq in a learn-address script which is now denied.

Note: See TracTickets for help on using tickets.