On Wed, Nov 11, 2015 at 9:35 AM, yick xie <yick.xie at gmail.com> wrote: > Dear developers, > Sorry for my disturbance again, but this time I got really no way to > deal with such a problem during the last 3 days. > When I enabled the isolate-worker, the log hinted "cannot load > profile.xml". No matter how I configured the run-as-user and > run-as-group (such as nobody:nogroup, root:root, ocserv:ocserv which I > added additionally) and the profile.xml path, it still cannot work. > However once I switched off isolate-worker option,it worked. Hence was > there anything I missed? Or could you please give me a brief > instruction kindly? Just let me know if you need more information. Isolate workers enables seccomp and sets a filter for system calls. That is not always precise if system calls are used via libc, and as I see that was the case here in the worker process. I've modified the code a bit, so if you like to try the new version please check whether: https://gitlab.com/ocserv/ocserv/commit/b5640d61fbf93a3f1a2a194c4e5d747b6b17009a solves your issue. > MobileHostEntryInfo etc..), while I got no idea what the risk would be > if without isolate-worker. You don't get the system call filter from seccomp. That filter ensures that a successful attacker will have very limited privileges even if there is a serious bug in ocserv worker process. regards, Nikos
