On 29/08/18 16:27, Christian Ehrhardt wrote: > Auth_pam will require audit writes or the connection will be rejected > as the plugin fails to initialize like: > openvpn[1111]: sudo: unable to send audit message > openvpn[1111]: sudo: pam_open_session: System error > openvpn[1111]: sudo: policy plugin failed session initialization > > See links from https://community.openvpn.net/openvpn/ticket/918 for > more. > > auth_pam is a common use case and capabilties for it should be allowed > by the .service file. > > Fixes: #918 > > Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com> > --- > distro/systemd/openvpn-ser...@.service.in | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/distro/systemd/openvpn-ser...@.service.in > b/distro/systemd/openvpn-ser...@.service.in > index a8366a04..d1cc72cb 100644 > --- a/distro/systemd/openvpn-ser...@.service.in > +++ b/distro/systemd/openvpn-ser...@.service.in > @@ -11,7 +11,7 @@ Type=notify > PrivateTmp=true > WorkingDirectory=/etc/openvpn/server > ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log > --status-version 2 --suppress-timestamps --config %i.conf > -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE > CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE > +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE > CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE > CAP_AUDIT_WRITE
CAP_AUDIT_WRITE sounds safe to add. But I really need to get a better understanding *why* this is needed, when OpenVPN itself don't need this. What is it in the PAM code paths which triggers this requirement and why? There might be perfect valid reasons, but we can't just blindly jump into "Yes, we need it" without a good understanding of why. I have run tests on RHEL-7, Fedora 28 and some older Debian 8-9-ish-sid release. I only stumble upon this issue on Debian. So what is it Debian (and thus Ubuntu) does which causes this error? I did a little search the PAM error which occurs (audit_log_acct_message() failed: Operation not permitted), and I could find a similar error in Fedora 8 (which is from 2007-2008). But from what I can grasp, this doesn't sound directly related to this issue we're seeing here. And this was around PAM version 0.99. My Debian test VM uses pam-1.1.8-3.6, RHEL-7 pam-1.1.8-22 and Fedora 28 pam-1.3.1-1. Since both my Debian VM and my RHEL-7 install uses essentially quite similar PAM releases .... Debian must be doing something different ... but what? I even verified that all distros are compiled with libaudit, and they are. Anyone got a clue? -- kind regards, David Sommerseth OpenVPN Inc
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
