OS: Ubuntu 16.04.2 LTS
My VPN config has directives:
My visudo file has the directive:
%ovpn ALL=(ALL:ALL) NOPASSWD: /sbin/iptables
This allows openvpn to deescalate from
root to the unprivileged user
ovpn (for security reasons), but still use
iptables to bring up and down routes loaded from a database. It works if I invoke the openvpn process directly from a shell, i.e.:
$ sudo openvpn /etc/openvpn/vpn0.conf
and then kill it with CTRL-C. By "it works" I mean that the iptables rules are added and removed as desired without any errors.
However, if I start and stop the openvpn process using the vanilla Ubuntu systemd openvpn service. i.e.
$ sudo systemctl start openvpn
$ sudo systemctl stop openvpn
then the "--down" script fails during execution of the "stop" command. When I examine the syslog I see that the --down script has failed at the shell command invoking
sudo /sbin/iptables, specifically where it is attempting to fork the process. (regarding error message, my script is a python script using
subprocess.call(['/usr/bin/sudo', '/sbin/iptables', ...]). Error message is:
File "/usr/lib/python2.7/subprocess.py", line 523, in call
return Popen(*popenargs, **kwargs).wait()
File "/usr/lib/python2.7/subprocess.py", line 711, in __init__
File "/usr/lib/python2.7/subprocess.py", line 1235, in _execute_child
self.pid = os.fork()
OSError: [Errno 11] Resource temporarily unavailable
If I remove the
group directives from the openvpn configuration file so that the process remains
root throughout execution, then I don't get the error, and the iptables invocations work as expected, even when using the systemd service to start and stop.
So it smells like systemd is preventing me from escalating privileges using
sudo while shutting down the service.
Any ideas on how to overcome this difficulty while still deescalating to an unprivileged user?