openvpn: T3805: drop privileges using systemd - required for rtnetlink

(cherry picked from commit 2647edc30f1e02840cae62fde8b44345d35ac720)
author: Christian Poessinger <christian@poessinger.com> 2021-09-08 14:35:20 +0200
committer: Christian Poessinger <christian@poessinger.com> 2021-09-09 09:14:36 +0200
commit: c593bf7f597735b4b95c3923bb6ea6fc2c2ae346 (patch)
tree: f298227e31af4996972abb76f93d1532cab37c94 /src/etc
parent: 451a7d6d97ee48d715e410617bdbb7149537c41a (diff)
download: vyos-1x-c593bf7f597735b4b95c3923bb6ea6fc2c2ae346.tar.gz
vyos-1x-c593bf7f597735b4b95c3923bb6ea6fc2c2ae346.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/src/etc/systemd/system/openvpn@.service.d/override.conf b/src/etc/systemd/system/openvpn@.service.d/override.conf
index 7946484a3..03fe6b587 100644
--- a/src/etc/systemd/system/openvpn@.service.d/override.conf
+++ b/src/etc/systemd/system/openvpn@.service.d/override.conf
@@ -7,3 +7,7 @@ WorkingDirectory=
 WorkingDirectory=/run/openvpn
 ExecStart=
 ExecStart=/usr/sbin/openvpn --daemon openvpn-%i --config %i.conf --status %i.status 30 --writepid %i.pid
+User=openvpn
+Group=openvpn
+AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
author	Christian Poessinger <christian@poessinger.com>	2021-09-08 14:35:20 +0200
committer	Christian Poessinger <christian@poessinger.com>	2021-09-09 09:14:36 +0200
commit	c593bf7f597735b4b95c3923bb6ea6fc2c2ae346 (patch)
tree	f298227e31af4996972abb76f93d1532cab37c94 /src/etc
parent	451a7d6d97ee48d715e410617bdbb7149537c41a (diff)
download	vyos-1x-c593bf7f597735b4b95c3923bb6ea6fc2c2ae346.tar.gz vyos-1x-c593bf7f597735b4b95c3923bb6ea6fc2c2ae346.zip