Subject: Re: [RFC] vpn: Restrict connman-vpnd capabilities
Date: Fri, 19 Feb 2016 11:29:22 +0200
The below reply got stuck somewhere, I thought it had already been sent
to the mailing list...
On Wed, 2016-02-10 at 19:30 -0500, Andrew Bibb wrote:
> Lastly I decided to play around with the CapabiliyBoundingSet a bit
> based on your suggestion. Adding CAP_DAC_READ_SEARCH to the "as
> shipped" list will allow OpenVPN to connect. I never even knew these
> existed until this evening, and I only picked that one based on
> reading the manpage, so the probability of it being the proper one is
> likely not great. Using CAP_DAC_OVERRIDE also works, but that
> bypasses write permissions and seems to be overkill.
man paget says about CAP_DAC_READ_SEARCH that it:
* Bypass file read permission checks and directory read and execute
* Invoke open_by_handle_at(2).
Could it be that openvpn does not have read permissions to the config
file and/or path written to by ConnMan?
You nailed it, permissions on my personal home directory were 700, so OpenVPN could never
get into ~/.local/share. Change that one to 711 and Connman with OpenVPN will connect
fine (using the default "as shipped" /usr/lib/systemd/system/connman-vpn.service
Thank you for all your help.