documentation: avoid recommending --user nobody

Recommend to create an user dedicated to openvpn
so that there is no priviledge escalation between
different services using that user.

cf. https://wiki.ubuntu.com/nobody

Trac: #1335
CC: tincantech <tincantech@protonmail.com>
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221129144731.35105-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25573.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst
index 394c218696af4e967411f8d9bd2276effc7e4ad2..d2b226c4599f68fae317387932d5082f4e471cb8 100644 (file)
--- a/doc/man-sections/generic-options.rst
+++ b/doc/man-sections/generic-options.rst
@@ -294,7 +294,7 @@ which mode OpenVPN is configured as.
 --persist-key
   Don't re-read key files across :code:`SIGUSR1` or ``--ping-restart``.
 
-  This option can be combined with ``--user nobody`` to allow restarts
+  This option can be combined with ``--user`` to allow restarts
   triggered by the :code:`SIGUSR1` signal. Normally if you drop root
   privileges in OpenVPN, the daemon cannot be restarted since it will now
   be unable to re-read protected key files.
@@ -491,7 +491,7 @@ which mode OpenVPN is configured as.
   able to gain control of an OpenVPN session. Though OpenVPN's security
   features make this unlikely, it is provided as a second line of defense.
 
-  By setting ``user`` to :code:`nobody` or somebody similarly unprivileged,
+  By setting ``user`` to an unprivileged user dedicated to run openvpn,
   the hostile party would be limited in what damage they could cause. Of
   course once you take away privileges, you cannot return them to an
   OpenVPN session. This means, for example, that if you want to reset an
@@ -501,5 +501,10 @@ which mode OpenVPN is configured as.
   operations in order to restart (such as re-reading key files or running
   ``ifconfig`` on the TUN device).
 
+  NOTE: Previous versions of openvpn used :code:`nobody` as the example
+  unpriviledged user. It is not recommended to actually use that user
+  since it is usually used by other system services already. Always
+  create a dedicated user for openvpn.
+
 --writepid file
   Write OpenVPN's main process ID to ``file``.

diff --git a/sample/sample-config-files/client.conf b/sample/sample-config-files/client.conf
index 47ca409921334c40a14e320432c3e55154a19e31..15cb1b37512e3fcb15d9af78f528016b9d8fb0e9 100644 (file)
--- a/sample/sample-config-files/client.conf
+++ b/sample/sample-config-files/client.conf
@@ -58,8 +58,8 @@ resolv-retry infinite
 nobind
 
 # Downgrade privileges after initialization (non-Windows only)
-;user nobody
-;group nobody
+;user openvpn
+;group openvpn
 
 # Try to preserve some state across restarts.
 persist-key

diff --git a/sample/sample-config-files/server.conf b/sample/sample-config-files/server.conf
index e70206395aa669518140145125833d688bab44dc..d9345b648d11dc53db7b5408f83289d302c82ff7 100644 (file)
--- a/sample/sample-config-files/server.conf
+++ b/sample/sample-config-files/server.conf
@@ -269,10 +269,10 @@ cipher AES-256-CBC
 # It's a good idea to reduce the OpenVPN
 # daemon's privileges after initialization.
 #
-# You can uncomment this out on
-# non-Windows systems.
-;user nobody
-;group nobody
+# You can uncomment this on non-Windows
+# systems after creating a dedicated user.
+;user openvpn
+;group openvpn
 
 # The persist options will try to avoid
 # accessing certain resources on restart

diff --git a/sample/sample-config-files/tls-home.conf b/sample/sample-config-files/tls-home.conf
index 3a9297cc83bcc2a787a3893437d655ab3217535c..ff19d50d46f6a6aa82429b6db105fef6509e1aa3 100644 (file)
--- a/sample/sample-config-files/tls-home.conf
+++ b/sample/sample-config-files/tls-home.conf
@@ -47,11 +47,11 @@ cipher AES-256-GCM
 # for local and remote.
 ; port 1194
 
-# Downgrade UID and GID to
-# "nobody" after initialization
+# Downgrade UID and GID to an
+# unpriviledged user after initialization
 # for extra security.
-; user nobody
-; group nobody
+; user openvpn
+; group openvpn
 
 # If you built OpenVPN with
 # LZO compression, uncomment

diff --git a/sample/sample-config-files/tls-office.conf b/sample/sample-config-files/tls-office.conf
index 81052211710ccec3d552ea6e55152ea94face744..152e58a0ddf482d448af9648b0aa4351a45f2f19 100644 (file)
--- a/sample/sample-config-files/tls-office.conf
+++ b/sample/sample-config-files/tls-office.conf
@@ -50,11 +50,11 @@ cipher AES-256-GCM
 # for local and remote.
 ; port 1194
 
-# Downgrade UID and GID to
-# "nobody" after initialization
+# Downgrade UID and GID to an
+# unpriviledged user after initialization
 # for extra security.
-; user nobody
-; group nobody
+; user openvpn
+; group openvpn
 
 # If you built OpenVPN with
 # LZO compression, uncomment

diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index eb7b4b8053f7be83f2848e61401b1269b8a7cdb3..74b380327cf8aaa93ca4707153782c6601b28a1e 100644 (file)
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2020,7 +2020,7 @@ do_close_tun(struct context *c, bool force)
         }
 
         /* Run the down script -- note that it will run at reduced
-         * privilege if, for example, "--user nobody" was used. */
+         * privilege if, for example, "--user" was used. */
         run_up_down(c->options.down_script,
                     c->plugins,
                     OPENVPN_PLUGIN_DOWN,