openvpn: T3805: drop privileges using systemd - required for rtnetlink

author: Christian Poessinger <christian@poessinger.com> 2021-09-08 14:35:20 +0200
committer: Christian Poessinger <christian@poessinger.com> 2021-09-08 14:35:20 +0200
commit: 2647edc30f1e02840cae62fde8b44345d35ac720 (patch)
tree: d0cd3ae4e56f2955f867d747bfd4a1af1d315d88 /src/etc/systemd/system/openvpn@.service.d
parent: 84e912ab2f583864e637c2df137f62f3d4cbeb14 (diff)
download: vyos-1x-2647edc30f1e02840cae62fde8b44345d35ac720.tar.gz
vyos-1x-2647edc30f1e02840cae62fde8b44345d35ac720.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/src/etc/systemd/system/openvpn@.service.d/override.conf b/src/etc/systemd/system/openvpn@.service.d/override.conf
index 7946484a3..03fe6b587 100644
--- a/src/etc/systemd/system/openvpn@.service.d/override.conf
+++ b/src/etc/systemd/system/openvpn@.service.d/override.conf
@@ -7,3 +7,7 @@ WorkingDirectory=
 WorkingDirectory=/run/openvpn
 ExecStart=
 ExecStart=/usr/sbin/openvpn --daemon openvpn-%i --config %i.conf --status %i.status 30 --writepid %i.pid
+User=openvpn
+Group=openvpn
+AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
author	Christian Poessinger <christian@poessinger.com>	2021-09-08 14:35:20 +0200
committer	Christian Poessinger <christian@poessinger.com>	2021-09-08 14:35:20 +0200
commit	2647edc30f1e02840cae62fde8b44345d35ac720 (patch)
tree	d0cd3ae4e56f2955f867d747bfd4a1af1d315d88 /src/etc/systemd/system/openvpn@.service.d
parent	84e912ab2f583864e637c2df137f62f3d4cbeb14 (diff)
download	vyos-1x-2647edc30f1e02840cae62fde8b44345d35ac720.tar.gz vyos-1x-2647edc30f1e02840cae62fde8b44345d35ac720.zip