Re: [Openvpn-devel] [PATCH v2] systemd: Improve the systemd unit files

Mon, 14 Nov 2016 03:04:45 -0800 

On 12/11/16 14:48, debbie10t wrote:
> 
> 
> On 12/11/16 11:38, David Sommerseth wrote:
>> There are several changes which allows systemd to take care of several
>> aspects of hardening the execution of OpenVPN.
>>
>> - Let systemd take care of the process tracking directly, instead
>>   of doing that via PID files
>>
>> - Make systemd prepare proper runtime directories for the OpenVPN
>>   process.
>>
>> - Let systemd do the chdir() before starting OpenVPN.  This allows
>>   us to avoid using the --cd option when executing openvpn.
>>
>> - CAP_DAC_OVERRIDE was needed when using --chroot.  Otherwise
>>   the root user would not be allowed to access files/directories
>>   not owned by root.  This will change in the future, when we
>>   find better ways to avoid calling chroot() in OpenVPN and
>>   rather let systemd prepare a more isolated namespace.
>>
>> - Client configurations are now started with --nobind and
>>   the OpenVPN client process have lost the CAP_NET_BIND_SERVICE
>>   capability which allows binding to port < 1024.
>>
>> - Documentation URL now points at the OpenVPN 2.4 man page URL
>>
>> The majority of these changes have been proposed by Elias Probst
>> (eliasp) in the GitHub PR #22.
>>
>> v2 - Change RuntimeDirectory= to a profile specific (client, server)
>>      directory to avoid clashing with older distro unit files
>>
>> Contribution-by: Elias Probst <m...@eliasprobst.eu>
>> Signed-off-by: David Sommerseth <dav...@openvpn.net>
>> ---
>>  distro/systemd/openvpn-client@.service | 11 ++++++-----
>>  distro/systemd/openvpn-server@.service | 14 ++++++++------
>>  2 files changed, 14 insertions(+), 11 deletions(-)
>>
>> diff --git a/distro/systemd/openvpn-client@.service 
>> b/distro/systemd/openvpn-client@.service
>> index 56d93a9..661f4a9 100644
>> --- a/distro/systemd/openvpn-client@.service
>> +++ b/distro/systemd/openvpn-client@.service
>> @@ -3,15 +3,16 @@ Description=OpenVPN tunnel for %I
>>  After=syslog.target network-online.target
>>  Wants=network-online.target
>>  Documentation=man:openvpn(8)
>> -Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
>> +Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
>>  Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
>>
>>  [Service]
>>  PrivateTmp=true
>> -Type=forking
>> -PIDFile=/var/run/openvpn/client_%i.pid
>> -ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/client --config %i.conf 
>> --daemon --writepid /var/run/openvpn/client_%i.pid
>> -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE 
>> CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH
>> +RuntimeDirectory=openvpn-client
>> +RuntimeDirectoryMode=0710
>> +WorkingDirectory=/etc/openvpn/client
>> +ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config %i.conf
>> +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID 
>> CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
>>  LimitNPROC=10
>>  DeviceAllow=/dev/null rw
>>  DeviceAllow=/dev/net/tun rw
>> diff --git a/distro/systemd/openvpn-server@.service 
>> b/distro/systemd/openvpn-server@.service
>> index c4c9a12..48d9271 100644
>> --- a/distro/systemd/openvpn-server@.service
>> +++ b/distro/systemd/openvpn-server@.service
>> @@ -1,16 +1,18 @@
>>  [Unit]
>>  Description=OpenVPN service for %I
>> -After=syslog.target network.target
>> +After=syslog.target network-online.target
>> +Wants=network-online.target
>>  Documentation=man:openvpn(8)
>> -Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
>> +Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
>>  Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
>>
>>  [Service]
>>  PrivateTmp=true
>> -Type=forking
>> -PIDFile=/var/run/openvpn/server_%i.pid
>> -ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/server --status 
>> /var/run/openvpn/server_%i-status.log --status-version 2 --config %i.conf 
>> --daemon --writepid /var/run/openvpn/server_%i.pid
>> -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE 
>> CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH
>> +RuntimeDirectory=openvpn-server
>> +RuntimeDirectoryMode=0710
>> +WorkingDirectory=/etc/openvpn/server
>> +ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log 
>> --status-version 2 --suppress-timestamps --config %i.conf
>> +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE 
>> CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
>>  LimitNPROC=10
>>  DeviceAllow=/dev/null rw
>>  DeviceAllow=/dev/net/tun rw
>>
> 
> Out of curiosity, is there a reason to put --config last ?

Yes, that is to allow a sys-admin to easily change our defaults without
modifying the unit file.

With that said, I do see a potential little trap.  A config file cannot
use --daemon, as that will break how systemd expects the process to
behave when being started successfully.  We should probably add a simple
'grep' check in the config file, to ensure "^daemon" is not found there.
 I'll check this out further.


-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to