--cafile enabling system-trust nevertheless?

Karl O. Pinc kop at karlpinc.com
Sat Sep 7 05:52:32 PDT 2024


On Sat, 07 Sep 2024 10:19:33 +0100
David Woodhouse <dwmw2 at infradead.org> wrote:

> (And even then, strictly openconnect itself doesn't need privs; I've
> never experimented much with 'openconnect -s "sudo vpnc-script", and
> I'm not entirely sure there's much point without a lot of focus on
> hardening vpnc-script itself to be a safe entry point.)

FWIW, in theory, there's a use case for becoming another _regular_ user
to run vpnc-script-sshd.  Which only goes to show that it's nice
to have the privilege separation.

Regards,

Karl <kop at karlpinc.com>
Free Software:  "You don't pay back, you pay forward."
                 -- Robert A. Heinlein



More information about the openconnect-devel mailing list