You are not logged in.

#1 2023-03-12 20:53:38

ftole
Member
Registered: 2023-03-12
Posts: 3

[SOLVED] Openvpn client 2.6.1 unable to set GID to 'nobody' group

Hi,

After openvpn update (2.6.1 from 2.6.0) the client service can't set GID to nobody. No issues after downgrade to 2.6.0.

 openvpn[3282]: capng_change_id('nobody','nobody') failed retaining capabilities: -9: Operation not permitted (errno=1)
 openvpn[3282]: Unable to retain capabilities
 openvpn[3282]: GID set to nobody
 openvpn[3282]: setgroups('nobody') failed: Operation not permitted (errno=1)
 openvpn[3282]: Exiting due to fatal error

Any ideas?

Last edited by ftole (2023-03-15 22:05:23)

Offline

#2 2023-03-12 21:30:24

loqs
Member
Registered: 2014-03-06
Posts: 17,194

Re: [SOLVED] Openvpn client 2.6.1 unable to set GID to 'nobody' group

Possibly related to https://github.com/OpenVPN/openvpn/comm … 1c10000804
Edit:
Why is the client trying to change to user nobody?  https://github.com/archlinux/svntogit-p … fc20101ad3

Last edited by loqs (2023-03-12 21:59:09)

Offline

#3 2023-03-13 20:11:23

ftole
Member
Registered: 2023-03-12
Posts: 3

Re: [SOLVED] Openvpn client 2.6.1 unable to set GID to 'nobody' group

Hi loqs, thanks for the reply.

I followed the wiki as guide for
client config but this has changed because "nobody" user/group is used by other services as NFS as openvpn man shows.

--user user
              Change the user ID of the OpenVPN process to user after initialization, dropping priv‐
              ileges in the process. This option is useful to protect the system in the  event  that
              some  hostile  party  was able to gain control of an OpenVPN session. Though OpenVPN's
              security features make this unlikely, it is provided as a second line of defense.

              By setting user to an unprivileged user dedicated to run openvpn,  the  hostile  party
              would  be limited in what damage they could cause. Of course once you take away privi‐
              leges, you cannot return them to an OpenVPN session. This means, for example, that  if
              you  want to reset an OpenVPN daemon with a SIGUSR1 signal (for example in response to
              a DHCP reset), you should make use of one or more of the --persist options  to  ensure
              that  OpenVPN  doesn't  need  to execute any privileged operations in order to restart
              (such as re-reading key files or running ifconfig on the TUN device).

              NOTE: Previous versions of openvpn used nobody as the example unpriviledged  user.  It
              is  not recommended to actually use that user since it is usually used by other system
              services already. Always create a dedicated user for openvpn.

Offline

#4 2023-03-13 20:52:46

loqs
Member
Registered: 2014-03-06
Posts: 17,194

Re: [SOLVED] Openvpn client 2.6.1 unable to set GID to 'nobody' group

That section of the wiki does not cover the changes to the shipped service files from my second link.  Did you create a custom openvpn systemd service that starts as root then switches to the user/group nobody or are you using openvpn-client@.service which starts as user openvpn group network which should not and as it not root can not switch to another user / group?

Offline

#5 2023-03-14 07:47:06

snack
Member
From: Italy
Registered: 2009-01-13
Posts: 861

Re: [SOLVED] Openvpn client 2.6.1 unable to set GID to 'nobody' group

I have the same problem. I start openvpn with `sudo systemctl start openvpn-client@my-client` and in the logs I get the error:

    mar 14 08:28:55 stryke openvpn[2508]: GID set to nobody
    mar 14 08:28:55 stryke openvpn[2508]: setgroups('nobody') failed: Operation not permitted (errno=1)
    mar 14 08:28:55 stryke openvpn[2508]: Exiting due to fatal error

The openvpn user on my system belongs to the openvpn group, so I modified my client as:

    user openvpn
    group openvpn

but I get the same error. I added the openvpn user to the network group, modified again the client accordingly, and still got the same error.
Any help about how to fix?

Last edited by snack (2023-03-14 07:47:31)

Offline

#6 2023-03-14 15:11:56

loqs
Member
Registered: 2014-03-06
Posts: 17,194

Re: [SOLVED] Openvpn client 2.6.1 unable to set GID to 'nobody' group

@snack you are still specifying a user and group in the config so I would expect it to still fail.

loqs wrote:

using openvpn-client@.service which starts as user openvpn group network which should not and as it not root can not switch to another user / group

Offline

#7 2023-03-15 18:40:52

snack
Member
From: Italy
Registered: 2009-01-13
Posts: 861

Re: [SOLVED] Openvpn client 2.6.1 unable to set GID to 'nobody' group

@loqs Thanks for your clarification, I removed the setting of user and group from the client config file and the problem is now fixed.

Offline

#8 2023-03-15 22:03:45

ftole
Member
Registered: 2023-03-12
Posts: 3

Re: [SOLVED] Openvpn client 2.6.1 unable to set GID to 'nobody' group

loqs wrote:

That section of the wiki does not cover the changes to the shipped service files from my second link.  Did you create a custom openvpn systemd service that starts as root then switches to the user/group nobody or are you using openvpn-client@.service which starts as user openvpn group network which should not and as it not root can not switch to another user / group?

Same as @snack, `sudo systemctl start openvpn-client@my-client`

Enhace security via user/group options is no needed now, the process runs as "openvpn" unprivileged user instead of root in last versions.

Thank you loqs wink

Offline

#9 2023-03-16 19:24:10

train__wreck
Member
Registered: 2020-08-23
Posts: 32

Re: [SOLVED] Openvpn client 2.6.1 unable to set GID to 'nobody' group

Just noticed this today when running openvpn in server mode, tunnel was down and log was spammed with the same message.

Offline

Board footer

Powered by FluxBB