Giancarlo Razzolini <[email protected]> on Tue, 2016/11/29 16:14: > Em novembro 26, 2016 10:38 Christian Hesse escreveu: > > Hello everybody, > > > > a new OpenVPN stable release is being prepared, namely version 2.4.0. > > Currently we have 2.4_beta2. I think about making changes to our package > > that require user intervention. > > > > We shipped a systemd unit file before OpenVPN upstream had one. Upstream > > now has unit files, but two (for server and client) instead of just one. > > I did backport some security features for our unit, but refused to > > migrate to the upstream solution within the 2.3.x branch. > > > > That could change with 2.4.0. Instead of [email protected] we would have > > [email protected] and [email protected]. Additionally the > > 'daemon' option is no longer allowed with the upstream units. > > > > Any opinion about this change? Who can post news about this on the > > website? > > > > Stumbled about another fact... We define PLUGIN_LIBDIR, that allows to use > > relative paths from that directory in configuration to call the plugins. > > This path is '/usr/lib/openvpn' - plugins are installed to > > '/usr/lib/openvpn/plugins', though. Any reason for that? > > Well, > > I think it is good upstream is (finally) caring about the actual > deployment of their software. I always found openvpn packaging > odd on all the systems I used. On some, a user is created for > running unprivileged. On others, everything is created and taken > care of, including logging. > > I do not oppose using whatever upstream is deploying, if it's > rationale. I just think that we could create a system user for > openvpn, even if most users will deploy it using root.
We need root privileges at initialization phase, no? Privileges are dropped to nobody/nobody when initialization sequence completed. If we can make things work with non-root system user... Let me know how to do that. :D > In that > sense we would also (probably) need a /run/openvpn directory. The new systemd units create this automatically. (Well, actually /run/openvpn-client and /run/openvpn-server.) > I managed to make openvpn work entirely unprivileged here and > I plan on changing our wiki[0] on the matter (it's missing some > info) and also the official documentation[1] do not account for > systemd nor ip netns exec, which is a clear venue for privilege > escalation. What do you guys think? Just followed the link from our wiki [2]. Probably you can make this work, but I am not convinced this can be packaged to work smoothly. Dynamic device naming, up/route-up/... scripts, ... There is lot of stuff that can and will break. Still, if you have some clues on how to package this... > [0] > https://wiki.archlinux.org/index.php/OpenVPN#Drop_root_privileges_after_connecting > [1] > https://openvpn.net/index.php/open-source/documentation/howto.html#security [2] https://community.openvpn.net/openvpn/wiki/UnprivilegedUser -- main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH" "CX:;",b;for(a/* Best regards my address: */=0;b=c[a++];) putchar(b-1/(/* Chris cc -ox -xc - && ./x */b/42*2-3)*42);}
pgpmXCJdK0kU7.pgp
Description: OpenPGP digital signature
