The "--up" option in OpenVPN is normally used for routing etc. And so it is processed before OpenVPN drops root privileges to run as nobody. However, I am invoking shell scripts that need to run as an unprivileged user.
How do I do that? I have studied Drop Process Privileges, especially polynomial's and tylerl's answers, but I do not understand how to implement. I am working in Centos 6.5, and suid is blocked, both as "chmod u+s" and as "setuid()".
There is an OpenVPN plugin ("openvpn-down-root.so") which enables scripts invoked by the "--down" option to run as root. There could be an equivalent, such as "openvpn-up-user.so", but I have not found it.
Edit0
Per Nikola Kotur's answer, I've installed Ian Meyer's runit-rpm. Although the chpst command works in terminal, in the up script it fails with "command not found". What works is "sudo chpst" plus setting the proper display and language. Please see Why doesn't my terminal output unicode characters properly?Why doesn't my terminal output unicode characters properly? Given that, the up script needs these four lines:
LANG="en_US.UTF-8"; export LANG GDM_LANG="en_US.UTF-8"; export GDM_LANG DISPLAY=:0; export DISPLAY sudo chpst -u user -U user /home/user/unprivileged.sh & Edit1
Per 0xC0000022L's comment, I find that "sudo -u user" works as well as "sudo chpst -u user -U user":
LANG="en_US.UTF-8"; export LANG GDM_LANG="en_US.UTF-8"; export GDM_LANG DISPLAY=:0; export DISPLAY sudo -u user /home/user/unprivileged.sh & I'll study man sudoers and update if/when I get sudo alone to work.
