--cafile enabling system-trust nevertheless?
Karl O. Pinc
kop at karlpinc.com
Sat Sep 7 05:52:32 PDT 2024
On Sat, 07 Sep 2024 10:19:33 +0100
David Woodhouse <dwmw2 at infradead.org> wrote:
> (And even then, strictly openconnect itself doesn't need privs; I've
> never experimented much with 'openconnect -s "sudo vpnc-script", and
> I'm not entirely sure there's much point without a lot of focus on
> hardening vpnc-script itself to be a safe entry point.)
FWIW, in theory, there's a use case for becoming another _regular_ user
to run vpnc-script-sshd. Which only goes to show that it's nice
to have the privilege separation.
Regards,
Karl <kop at karlpinc.com>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
More information about the openconnect-devel
mailing list