diff options
author | s3rj1k | 2021-02-15 18:29:51 +0200 |
---|---|---|
committer | s3rj1k | 2021-02-15 18:45:01 +0200 |
commit | 316aecbbdad7d13a9c5f13b8ebdb6dbf1f075dc4 (patch) | |
tree | aacc60cb5fc7fff8d3d2cba632b67ccb75ac02c6 /0001-unprivileged.patch | |
download | aur-316aecbbdad7d13a9c5f13b8ebdb6dbf1f075dc4.tar.gz |
initial commit
Signed-off-by: s3rj1k <evasive.gyron@gmail.com>
Diffstat (limited to '0001-unprivileged.patch')
-rw-r--r-- | 0001-unprivileged.patch | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/0001-unprivileged.patch b/0001-unprivileged.patch new file mode 100644 index 000000000000..b33de3461cb1 --- /dev/null +++ b/0001-unprivileged.patch @@ -0,0 +1,28 @@ +diff --git a/distro/systemd/openvpn-client@.service.in b/distro/systemd/openvpn-client@.service.in +index cbcef653..71aa1335 100644 +--- a/distro/systemd/openvpn-client@.service.in ++++ b/distro/systemd/openvpn-client@.service.in +@@ -11,6 +11,9 @@ Type=notify + PrivateTmp=true + WorkingDirectory=/etc/openvpn/client + ExecStart=@sbindir@/openvpn --suppress-timestamps --nobind --config %i.conf ++User=openvpn ++Group=network ++AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE + CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE + LimitNPROC=10 + DeviceAllow=/dev/null rw +diff --git a/distro/systemd/openvpn-server@.service.in b/distro/systemd/openvpn-server@.service.in +index d1cc72cb..691f369e 100644 +--- a/distro/systemd/openvpn-server@.service.in ++++ b/distro/systemd/openvpn-server@.service.in +@@ -11,6 +11,9 @@ Type=notify + PrivateTmp=true + WorkingDirectory=/etc/openvpn/server + ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf ++User=openvpn ++Group=network ++AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE + CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE + LimitNPROC=10 + DeviceAllow=/dev/null rw |