The "–up" option in OpenVPN is normally used for routing etc. And so it is processed before OpenVPN drops root privileges to run as nobody. However, I am invoking shell scripts that need to run as an unprivileged user.
How do I do that? I have studied Drop Process Privileges, especially polynomial's and tylerl's answers, but I do not understand how to implement. I am working in Centos 6.5, and suid is blocked, both as "chmod u+s" and as "setuid()".
There is an OpenVPN plugin ("openvpn-down-root.so") which enables scripts invoked by the "–down" option to run as root. There could be an equivalent, such as "openvpn-up-user.so", but I have not found it.
Edit0
Per Nikola Kotur's answer, I've installed Ian Meyer's runit-rpm. Although the chpst command works in terminal, in the up script it fails with "command not found". What works is "sudo chpst" plus setting the proper display and language. Please see Why doesn't my terminal output unicode characters properly? Given that, the up script needs these four lines:
LANG="en_US.UTF-8"; export LANG
GDM_LANG="en_US.UTF-8"; export GDM_LANG
DISPLAY=:0; export DISPLAY
sudo chpst -u user -U user /home/user/unprivileged.sh &
Edit1
Per 0xC0000022L's comment, I find that "sudo -u user" works as well as "sudo chpst -u user -U user":
LANG="en_US.UTF-8"; export LANG
GDM_LANG="en_US.UTF-8"; export GDM_LANG
DISPLAY=:0; export DISPLAY
sudo -u user /home/user/unprivileged.sh &
I'll study man sudoers and update if/when I get sudo alone to work.
Best Answer
I use runit's
chpsttool for tasks like this. For example, from the up script call your unprivileged script: