Web lists-archives.com

Re: openvpn fails to run a learn-address script





On 27.02.19 14:37, Curt wrote:
On 2019-02-27, Dominik <dr896543@xxxxxxxxx> wrote:
I'm looking for help related to three questions:

1) How do I get additional information about what is causing the error?
Why is systemd blocking sudo despite the modifications in the override.conf

2) More generally: How can I run openvpn in a daemon as user vpn with
the ability to use sudo in a learn-address-script?

3) Would it be appropriate to file a bug report against systemd at this
stage?

Thanks in advance,

kind regards

Dominik

I can't grok your /etc/systemd/system/openvpn@.service.d/override.conf 
file.

Sorry, this was a mistake. The override.conf I used are

version 1:

ProtectSystem=yes
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE
CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
CAP_AUDIT_WRITE 
version 2:

ProtectSystem=no
CapabilityBoundingSet=~
My understanding is that for this workaround it should contain something like:

 Service]
 CapabilityBoundingSet=CAP_AUDIT_WRITE

Another approach is to run

 systemctl edit openvpn@.service

and in your $EDITOR write and save the same, i.e.

 [Service]
 CapabilityBoundingSet=CAP_AUDIT_WRITE

Apparently "CapabilityBoundingSet=" (empty) also works.

If that's what you've already done or I've misunderstood any or everything,
sorry, mate.


Thanks for pointing this out. My mistake was the missing [Service]

Greetings

Dominik