https://bugzilla.novell.com/show_bug.cgi?id=732915
https://bugzilla.novell.com/show_bug.cgi?id=732915#c8
--- Comment #8 from David Woodhouse
I probably blind here, but although I see where the user and group are added in the fedora package (in the pre scriptlet), I can't see where they are actually integrated with the nm-openconnect software.
See the create_persistent_tundev() and related code at around http://git.gnome.org/browse/network-manager-openconnect/tree/src/nm-openconn... If the user exists, it creates the tunnel device in advance, and chowns it to that user. Then it runs openconnect as that user, instead of as root. If the user doesn't exist, it just runs openconnect as root, much like NM would normally run vpnc/openvpn/etc as root. Falling back to running as root was a deliberate choice. I understand how it could be seen as bad practice (Ludwig) but since it's only falling back to what every *other* vpn plugin does, it didn't seem so evil. If NM had better error handling and could actually *give* a coherent error message rather than a simple "the VPN failed", I'd be more inclined to rethink that decision... :)
I would think I would need to set attributes to be owned by the nm-openconnect user or something, but everything looks like it is owned by root. Does this happen automatically, or am I missing something?
The only thing that needs to be owned by nm-openconnect is the tun device, and we do that with the TUNSETOWNER ioctl.
Also, it doesn't look like this is done for any of the other NetworkManager vpn clients. Is this something that should be fixed, or is there something special about this one that doesn't apply to the others?
Ideally it should be fixed, but the clients (vpnc, etc.) may need minor patches to support it. When using NAT-T, vpnc *ought* to be able to run as non-root, although it needs root privs (or more cunningness like passing an appropriate socket fd in from the caller) if it's going to be doing real IPSec/IKE because that involves special sockets. I think openvpn should certainly be able to run as non-root with minimal (if any) patches. There's a bug in GNOME bugzilla for this, I think. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.