Date: Friday, November 6, 2020 @ 12:03:28 Author: eworm Revision: 399569
archrelease: copy trunk to testing-x86_64 Added: openvpn/repos/testing-x86_64/0001-unprivileged.patch (from rev 399568, openvpn/trunk/0001-unprivileged.patch) openvpn/repos/testing-x86_64/PKGBUILD (from rev 399568, openvpn/trunk/PKGBUILD) openvpn/repos/testing-x86_64/openvpn.install (from rev 399568, openvpn/trunk/openvpn.install) openvpn/repos/testing-x86_64/sysusers.conf (from rev 399568, openvpn/trunk/sysusers.conf) openvpn/repos/testing-x86_64/tmpfiles.conf (from rev 399568, openvpn/trunk/tmpfiles.conf) Deleted: openvpn/repos/testing-x86_64/0001-unprivileged.patch openvpn/repos/testing-x86_64/PKGBUILD openvpn/repos/testing-x86_64/openvpn.install openvpn/repos/testing-x86_64/sysusers.conf openvpn/repos/testing-x86_64/tmpfiles.conf -------------------------+ 0001-unprivileged.patch | 56 +++++++------- PKGBUILD | 176 +++++++++++++++++++++++----------------------- openvpn.install | 24 +++--- sysusers.conf | 2 tmpfiles.conf | 8 +- 5 files changed, 133 insertions(+), 133 deletions(-) Deleted: 0001-unprivileged.patch =================================================================== --- 0001-unprivileged.patch 2020-11-06 12:03:25 UTC (rev 399568) +++ 0001-unprivileged.patch 2020-11-06 12:03:28 UTC (rev 399569) @@ -1,28 +0,0 @@ -diff --git a/distro/systemd/openvpn-cli...@.service.in b/distro/systemd/openvpn-cli...@.service.in -index cbcef653..71aa1335 100644 ---- a/distro/systemd/openvpn-cli...@.service.in -+++ b/distro/systemd/openvpn-cli...@.service.in -@@ -11,6 +11,9 @@ Type=notify - PrivateTmp=true - WorkingDirectory=/etc/openvpn/client - ExecStart=@sbindir@/openvpn --suppress-timestamps --nobind --config %i.conf -+User=openvpn -+Group=network -+AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE - CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE - LimitNPROC=10 - DeviceAllow=/dev/null rw -diff --git a/distro/systemd/openvpn-ser...@.service.in b/distro/systemd/openvpn-ser...@.service.in -index d1cc72cb..691f369e 100644 ---- a/distro/systemd/openvpn-ser...@.service.in -+++ b/distro/systemd/openvpn-ser...@.service.in -@@ -11,6 +11,9 @@ Type=notify - PrivateTmp=true - WorkingDirectory=/etc/openvpn/server - ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf -+User=openvpn -+Group=network -+AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE - CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE - LimitNPROC=10 - DeviceAllow=/dev/null rw Copied: openvpn/repos/testing-x86_64/0001-unprivileged.patch (from rev 399568, openvpn/trunk/0001-unprivileged.patch) =================================================================== --- 0001-unprivileged.patch (rev 0) +++ 0001-unprivileged.patch 2020-11-06 12:03:28 UTC (rev 399569) @@ -0,0 +1,28 @@ +diff --git a/distro/systemd/openvpn-cli...@.service.in b/distro/systemd/openvpn-cli...@.service.in +index cbcef653..71aa1335 100644 +--- a/distro/systemd/openvpn-cli...@.service.in ++++ b/distro/systemd/openvpn-cli...@.service.in +@@ -11,6 +11,9 @@ Type=notify + PrivateTmp=true + WorkingDirectory=/etc/openvpn/client + ExecStart=@sbindir@/openvpn --suppress-timestamps --nobind --config %i.conf ++User=openvpn ++Group=network ++AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE + CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE + LimitNPROC=10 + DeviceAllow=/dev/null rw +diff --git a/distro/systemd/openvpn-ser...@.service.in b/distro/systemd/openvpn-ser...@.service.in +index d1cc72cb..691f369e 100644 +--- a/distro/systemd/openvpn-ser...@.service.in ++++ b/distro/systemd/openvpn-ser...@.service.in +@@ -11,6 +11,9 @@ Type=notify + PrivateTmp=true + WorkingDirectory=/etc/openvpn/server + ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf ++User=openvpn ++Group=network ++AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE + CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE + LimitNPROC=10 + DeviceAllow=/dev/null rw Deleted: PKGBUILD =================================================================== --- PKGBUILD 2020-11-06 12:03:25 UTC (rev 399568) +++ PKGBUILD 2020-11-06 12:03:28 UTC (rev 399569) @@ -1,88 +0,0 @@ -# Maintainer: Christian Hesse <m...@eworm.de> - -pkgname=openvpn -_tag='8c3dc0551390e92bfd5b2dc83d7502e7095b7325' # git rev-parse v${pkgver} -pkgver=2.5.0 -pkgrel=2 -pkgdesc='An easy-to-use, robust and highly configurable VPN (Virtual Private Network)' -arch=('x86_64') -url='https://openvpn.net/index.php/open-source.html' -license=('custom') -depends=('openssl' 'lzo' 'lz4' 'systemd-libs' 'libsystemd.so' 'pkcs11-helper' 'libpkcs11-helper.so') -optdepends=('easy-rsa: easy CA and certificate handling' - 'pam: authenticate via PAM') -makedepends=('git' 'systemd' 'python-docutils') -install=openvpn.install -validpgpkeys=('F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7' # OpenVPN - Security Mailing List <secur...@openvpn.net> - 'B62E6A2B4E56570B7BDC6BE01D829EFECA562812') # Gert Doering <g...@v6.de> -source=("git+https://github.com/OpenVPN/openvpn.git#tag=${_tag}?signed" - '0001-unprivileged.patch' - 'sysusers.conf' - 'tmpfiles.conf') -sha256sums=('SKIP' - '8e7d292514f30729bc37d6681789b1bfdf87a992a3aa77e2a28b8da9cd8d4bfe' - '3646b865ac67783fafc6652589cfe2a3105ecef06f3907f33de5135815f6a621' - 'b1436f953a4f1be7083711d11928a9924993f940ff56ff92d288d6100df673fc') - -prepare() { - cd "${srcdir}"/${pkgname} - - # https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19302.html - sed -i '/^CONFIGURE_DEFINES=/s/set/env/g' configure.ac - - # start with unprivileged user and keep granted privileges - patch -Np1 < ../0001-unprivileged.patch - - autoreconf --force --install -} - -build() { - mkdir "${srcdir}"/build - cd "${srcdir}"/build - - "${srcdir}"/openvpn/configure \ - --prefix=/usr \ - --sbindir=/usr/bin \ - --enable-pkcs11 \ - --enable-plugins \ - --enable-systemd \ - --enable-x509-alt-username - make -} - -check() { - cd "${srcdir}"/build - - make check -} - -package() { - cd "${srcdir}"/build - - # Install openvpn - make DESTDIR="${pkgdir}" install - - # Install sysusers and tmpfiles files - install -D -m0644 ../sysusers.conf "${pkgdir}"/usr/lib/sysusers.d/openvpn.conf - install -D -m0644 ../tmpfiles.conf "${pkgdir}"/usr/lib/tmpfiles.d/openvpn.conf - - # Install license - install -d -m0755 "${pkgdir}"/usr/share/licenses/openvpn/ - ln -sf /usr/share/doc/openvpn/{COPYING,COPYRIGHT.GPL} "${pkgdir}"/usr/share/licenses/openvpn/ - - cd "${srcdir}"/${pkgname} - - # Install examples - install -d -m0755 "${pkgdir}"/usr/share/openvpn - cp -r sample/sample-config-files "${pkgdir}"/usr/share/openvpn/examples - - # Install contrib - for FILE in $(find contrib -type f); do - case "$(file --brief --mime-type --no-sandbox "${FILE}")" in - "text/x-shellscript") - install -D -m0755 "${FILE}" "${pkgdir}/usr/share/openvpn/${FILE}" ;; - *) - install -D -m0644 "${FILE}" "${pkgdir}/usr/share/openvpn/${FILE}" ;; - esac - done -} Copied: openvpn/repos/testing-x86_64/PKGBUILD (from rev 399568, openvpn/trunk/PKGBUILD) =================================================================== --- PKGBUILD (rev 0) +++ PKGBUILD 2020-11-06 12:03:28 UTC (rev 399569) @@ -0,0 +1,88 @@ +# Maintainer: Christian Hesse <m...@eworm.de> + +pkgname=openvpn +_tag='8c3dc0551390e92bfd5b2dc83d7502e7095b7325' # git rev-parse v${pkgver} +pkgver=2.5.0 +pkgrel=3 +pkgdesc='An easy-to-use, robust and highly configurable VPN (Virtual Private Network)' +arch=('x86_64') +url='https://openvpn.net/index.php/open-source.html' +license=('custom') +depends=('openssl' 'lzo' 'lz4' 'systemd-libs' 'libsystemd.so' 'pkcs11-helper' 'libpkcs11-helper.so') +optdepends=('easy-rsa: easy CA and certificate handling' + 'pam: authenticate via PAM') +makedepends=('git' 'systemd' 'python-docutils') +install=openvpn.install +validpgpkeys=('F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7' # OpenVPN - Security Mailing List <secur...@openvpn.net> + 'B62E6A2B4E56570B7BDC6BE01D829EFECA562812') # Gert Doering <g...@v6.de> +source=("git+https://github.com/OpenVPN/openvpn.git#tag=${_tag}?signed" + '0001-unprivileged.patch' + 'sysusers.conf' + 'tmpfiles.conf') +sha256sums=('SKIP' + '8e7d292514f30729bc37d6681789b1bfdf87a992a3aa77e2a28b8da9cd8d4bfe' + '3646b865ac67783fafc6652589cfe2a3105ecef06f3907f33de5135815f6a621' + 'b1436f953a4f1be7083711d11928a9924993f940ff56ff92d288d6100df673fc') + +prepare() { + cd "${srcdir}"/${pkgname} + + # https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19302.html + sed -i '/^CONFIGURE_DEFINES=/s/set/env/g' configure.ac + + # start with unprivileged user and keep granted privileges + patch -Np1 < ../0001-unprivileged.patch + + autoreconf --force --install +} + +build() { + mkdir "${srcdir}"/build + cd "${srcdir}"/build + + "${srcdir}"/openvpn/configure \ + --prefix=/usr \ + --sbindir=/usr/bin \ + --enable-pkcs11 \ + --enable-plugins \ + --enable-systemd \ + --enable-x509-alt-username + make +} + +check() { + cd "${srcdir}"/build + + make check +} + +package() { + cd "${srcdir}"/build + + # Install openvpn + make DESTDIR="${pkgdir}" install + + # Install sysusers and tmpfiles files + install -D -m0644 ../sysusers.conf "${pkgdir}"/usr/lib/sysusers.d/openvpn.conf + install -D -m0644 ../tmpfiles.conf "${pkgdir}"/usr/lib/tmpfiles.d/openvpn.conf + + # Install license + install -d -m0755 "${pkgdir}"/usr/share/licenses/openvpn/ + ln -sf /usr/share/doc/openvpn/{COPYING,COPYRIGHT.GPL} "${pkgdir}"/usr/share/licenses/openvpn/ + + cd "${srcdir}"/${pkgname} + + # Install examples + install -d -m0755 "${pkgdir}"/usr/share/openvpn + cp -r sample/sample-config-files "${pkgdir}"/usr/share/openvpn/examples + + # Install contrib + for FILE in $(find contrib -type f); do + case "$(file --brief --mime-type --no-sandbox "${FILE}")" in + "text/x-shellscript") + install -D -m0755 "${FILE}" "${pkgdir}/usr/share/openvpn/${FILE}" ;; + *) + install -D -m0644 "${FILE}" "${pkgdir}/usr/share/openvpn/${FILE}" ;; + esac + done +} Deleted: openvpn.install =================================================================== --- openvpn.install 2020-11-06 12:03:25 UTC (rev 399568) +++ openvpn.install 2020-11-06 12:03:28 UTC (rev 399569) @@ -1,12 +0,0 @@ -#!/bin/sh - -post_upgrade() { - # return if old package version greater 2.5.0-1... - (( $(vercmp $2 '2.5.0-1') > 0 )) && return - - echo ':: OpenVPN now uses a netlink interface for network configuration. The systemd' - echo " units start the process with a dedicated unprivileged user 'openvpn', with" - echo ' extra capabilitiesi(7). The configuration should no longer drop privileges,' - echo " so remove 'user' and 'group' directives." - echo ' Scripts that require elevated privileges may need a workaround.' -} Copied: openvpn/repos/testing-x86_64/openvpn.install (from rev 399568, openvpn/trunk/openvpn.install) =================================================================== --- openvpn.install (rev 0) +++ openvpn.install 2020-11-06 12:03:28 UTC (rev 399569) @@ -0,0 +1,12 @@ +#!/bin/sh + +post_upgrade() { + # return if old package version greater 2.5.0-1... + (( $(vercmp $2 '2.5.0-1') > 0 )) && return + + echo ':: OpenVPN now uses a netlink interface for network configuration. The systemd' + echo " units start the process with a dedicated unprivileged user 'openvpn', with" + echo ' extra capabilities(7). The configuration should no longer drop privileges,' + echo " so remove 'user' and 'group' directives." + echo ' Scripts that require elevated privileges may need a workaround.' +} Deleted: sysusers.conf =================================================================== --- sysusers.conf 2020-11-06 12:03:25 UTC (rev 399568) +++ sysusers.conf 2020-11-06 12:03:28 UTC (rev 399569) @@ -1 +0,0 @@ -u openvpn - "OpenVPN" Copied: openvpn/repos/testing-x86_64/sysusers.conf (from rev 399568, openvpn/trunk/sysusers.conf) =================================================================== --- sysusers.conf (rev 0) +++ sysusers.conf 2020-11-06 12:03:28 UTC (rev 399569) @@ -0,0 +1 @@ +u openvpn - "OpenVPN" Deleted: tmpfiles.conf =================================================================== --- tmpfiles.conf 2020-11-06 12:03:25 UTC (rev 399568) +++ tmpfiles.conf 2020-11-06 12:03:28 UTC (rev 399569) @@ -1,4 +0,0 @@ -d /etc/openvpn/client 0750 openvpn network - -d /etc/openvpn/server 0750 openvpn network - -d /run/openvpn-client 0750 openvpn network - -d /run/openvpn-server 0750 openvpn network - Copied: openvpn/repos/testing-x86_64/tmpfiles.conf (from rev 399568, openvpn/trunk/tmpfiles.conf) =================================================================== --- tmpfiles.conf (rev 0) +++ tmpfiles.conf 2020-11-06 12:03:28 UTC (rev 399569) @@ -0,0 +1,4 @@ +d /etc/openvpn/client 0750 openvpn network - +d /etc/openvpn/server 0750 openvpn network - +d /run/openvpn-client 0750 openvpn network - +d /run/openvpn-server 0750 openvpn network -