You are not logged in.
Hi,
After openvpn update (2.6.1 from 2.6.0) the client service can't set GID to nobody. No issues after downgrade to 2.6.0.
openvpn[3282]: capng_change_id('nobody','nobody') failed retaining capabilities: -9: Operation not permitted (errno=1)
openvpn[3282]: Unable to retain capabilities
openvpn[3282]: GID set to nobody
openvpn[3282]: setgroups('nobody') failed: Operation not permitted (errno=1)
openvpn[3282]: Exiting due to fatal error
Any ideas?
Last edited by ftole (2023-03-15 22:05:23)
Offline
Possibly related to https://github.com/OpenVPN/openvpn/comm … 1c10000804
Edit:
Why is the client trying to change to user nobody? https://github.com/archlinux/svntogit-p … fc20101ad3
Last edited by loqs (2023-03-12 21:59:09)
Offline
Hi loqs, thanks for the reply.
I followed the wiki as guide for
client config but this has changed because "nobody" user/group is used by other services as NFS as openvpn man shows.
--user user
Change the user ID of the OpenVPN process to user after initialization, dropping priv‐
ileges in the process. This option is useful to protect the system in the event that
some hostile party was able to gain control of an OpenVPN session. Though OpenVPN's
security features make this unlikely, it is provided as a second line of defense.
By setting user to an unprivileged user dedicated to run openvpn, the hostile party
would be limited in what damage they could cause. Of course once you take away privi‐
leges, you cannot return them to an OpenVPN session. This means, for example, that if
you want to reset an OpenVPN daemon with a SIGUSR1 signal (for example in response to
a DHCP reset), you should make use of one or more of the --persist options to ensure
that OpenVPN doesn't need to execute any privileged operations in order to restart
(such as re-reading key files or running ifconfig on the TUN device).
NOTE: Previous versions of openvpn used nobody as the example unpriviledged user. It
is not recommended to actually use that user since it is usually used by other system
services already. Always create a dedicated user for openvpn.
Offline
That section of the wiki does not cover the changes to the shipped service files from my second link. Did you create a custom openvpn systemd service that starts as root then switches to the user/group nobody or are you using openvpn-client@.service which starts as user openvpn group network which should not and as it not root can not switch to another user / group?
Offline
I have the same problem. I start openvpn with `sudo systemctl start openvpn-client@my-client` and in the logs I get the error:
mar 14 08:28:55 stryke openvpn[2508]: GID set to nobody
mar 14 08:28:55 stryke openvpn[2508]: setgroups('nobody') failed: Operation not permitted (errno=1)
mar 14 08:28:55 stryke openvpn[2508]: Exiting due to fatal error
The openvpn user on my system belongs to the openvpn group, so I modified my client as:
user openvpn
group openvpn
but I get the same error. I added the openvpn user to the network group, modified again the client accordingly, and still got the same error.
Any help about how to fix?
Last edited by snack (2023-03-14 07:47:31)
Offline
@snack you are still specifying a user and group in the config so I would expect it to still fail.
using openvpn-client@.service which starts as user openvpn group network which should not and as it not root can not switch to another user / group
Offline
@loqs Thanks for your clarification, I removed the setting of user and group from the client config file and the problem is now fixed.
Offline
That section of the wiki does not cover the changes to the shipped service files from my second link. Did you create a custom openvpn systemd service that starts as root then switches to the user/group nobody or are you using openvpn-client@.service which starts as user openvpn group network which should not and as it not root can not switch to another user / group?
Same as @snack, `sudo systemctl start openvpn-client@my-client`
Enhace security via user/group options is no needed now, the process runs as "openvpn" unprivileged user instead of root in last versions.
Thank you loqs
Offline
Just noticed this today when running openvpn in server mode, tunnel was down and log was spammed with the same message.
Offline