-
Notifications
You must be signed in to change notification settings - Fork 87
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use syscall instead of subprocess #117
Comments
On Linux, OpenConnect doesn't just call
While allowing fine-grained capabilities is a worthwhile idea, it also seems like a fair amount of work. If you want to take a crack at a PR for it, please go ahead and I'll be happy to review it. You'd need to figure out how to replace the |
cap_net_admin would cover the ip related permissions (all of them). Let me take a look at the code (around 11 August) |
Currently, vpn-slice requires running as root because it has a subprocess call:
replace_route
which callsip route replace
Running scripts with root access (even open source) is a sytem risk. By performing a syscall, we give the option to the users to:
setcap cap_net_admin+ep $(which vpn-slice)
The need for writing in
/etc/hosts
can be eliminated by assigning it a custom group and usingsg
Proposal:
Use
SIOCADDRT
andSIOCDELRT
for theioctl
callsThe text was updated successfully, but these errors were encountered: