Hi Nikos, This commit indeed works, honestly thanks for your great favor. I will keep my eyes on its stability. Regards, Yick 2015-11-11 23:11 GMT+08:00 Nikos Mavrogiannopoulos <n.mavrogiannopoulos at gmail.com>: > On Wed, Nov 11, 2015 at 9:35 AM, yick xie <yick.xie at gmail.com> wrote: >> Dear developers, >> Sorry for my disturbance again, but this time I got really no way to >> deal with such a problem during the last 3 days. >> When I enabled the isolate-worker, the log hinted "cannot load >> profile.xml". No matter how I configured the run-as-user and >> run-as-group (such as nobody:nogroup, root:root, ocserv:ocserv which I >> added additionally) and the profile.xml path, it still cannot work. >> However once I switched off isolate-worker option,it worked. Hence was >> there anything I missed? Or could you please give me a brief >> instruction kindly? Just let me know if you need more information. > > Isolate workers enables seccomp and sets a filter for system calls. > That is not always precise if system calls are used via libc, and as I > see that was the case here in the worker process. I've modified the > code a bit, so if you like to try the new version please check > whether: > https://gitlab.com/ocserv/ocserv/commit/b5640d61fbf93a3f1a2a194c4e5d747b6b17009a > solves your issue. > >> MobileHostEntryInfo etc..), while I got no idea what the risk would be >> if without isolate-worker. > > You don't get the system call filter from seccomp. That filter ensures > that a successful attacker will have very limited privileges even if > there is a serious bug in ocserv worker process. > > regards, > Nikos
