Added SRU Template, based on the older bug. Pushed tags and sponsored for the SRU-Teams review.
** Description changed: + [Impact] + + * non-default but still common openvpn setups use callout scripts with + sudo (if the openvpn user was set up to work with sudo). That breaks in + >=Bionic since CAP_AUDIT_WRITE was dropped which makes pam/sudo denying + the call. + + * We brought the change upstream (they have an own .deb package) and want + to backport into B/C/D + + [Test Case] + + * The following should work for two KVM Guests on the same virtual + network. + * details in https://www.techgrube.de/tutorials/openvpn-server-mit-ipv4- + und-ipv6 which the reporter and I followed (warning: non commands are + german) + + * there is no need to do any of the IPV6 stuff in the guide nor the + iptables actions + + TL;DR would be: + * apt install openvpn (on client and server) + $ sudo apt install openvpn easy-rsa + Use easy-rsa to create 1 server and 1 client certificate + See the link above for commands to do so if you are unfamiliar + * add "openvpn" user and grant him sudo permission for your test script + $ addgroup --system --no-create-home --disabled-login --group openvpn + $ adduser --system --no-create-home --disabled-login --ingroup openvpn openvpn + * add server/client config (copy and modify from those in /usr/share) + the important bit is to have a sudo call to a helper like: + learn-address "/usr/bin/sudo -u root /etc/openvpn/scripts/test.sh" + client.conf + client + dev tun + proto udp + remote 192.168.122.29 1194 + resolv-retry infinite + nobind + persist-key + persist-tun + ca /etc/openvpn/easy-rsa/pki/ca.crt + cert /etc/openvpn/easy-rsa/pki/issued/guest1.crt + key /etc/openvpn/easy-rsa/pki/private/guest1.key + remote-cert-tls server + cipher AES-256-CBC + tls-version-min 1.2 + tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 + auth SHA512 + comp-lzo + verb 6 + explicit-exit-notify + + server.conf + port 1194 + proto udp + dev tun + ca /etc/openvpn/easy-rsa/pki/ca.crt + cert /etc/openvpn/easy-rsa/pki/issued/server.crt + key /etc/openvpn/easy-rsa/pki/private/server.key + dh /etc/openvpn/easy-rsa/pki/dh.pem + topology subnet + server 10.8.0.0 255.255.255.0 + ifconfig-pool-persist ipp.txt + script-security 2 + push "redirect-gateway def1" + push "dhcp-option DNS 8.8.8.8" + keepalive 10 120 + tls-version-min 1.2 + tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 + auth SHA512 + cipher AES-256-CBC + comp-lzo + persist-key + persist-tun + status openvpn-status.log + verb 6 + user openvpn + group openvpn + + * Create the test script + $ sudo mkdir -p /etc/openvpn/scripts/ + $ sudo echo "id" >> /etc/openvpn/scripts/test.sh + $ sudo chmod +x /etc/openvpn/scripts/test.sh + * Start the server service and run journalctl -f + And here is the important part for this sub-bug of bug 1787208. + To use the service files you'd not run openvpn@server which would be + the default Debian/Ubuntu templated service files. + Instead you'd use `systemctl restart openvpn-server@server` + Mind the extra -server + * Let the client connect (you will see the denies on the server) + + [Regression Potential] + + * It adds one allowed capability (a rather safe one btw) to the service + of openvpn. There should be no regression risk breaking functional + setups. + If anything I'd have security concerns, but since it was this way in + Xenial and already is that way on "the other" set of .service files + that should not matter. + + [Other Info] + + * This was in Xenial, picked by upstream for their own .deb package but + not integrated in their actual repository. Debian by aligning with + upstream dropped it and we followed. This time we made sure it gets + upstream and therefore hopefully should not reoccur again + * This was already fixed in bug 1787208 , but the package has two sets of + .service files and this change fixes the one that still is affected. + + --- + For a while openvpn is haunted by having two sets of services a bunch from upstream and pair from the debian packaging. Every now and then changes fix one but miss the other. In this case the fix for bug 1787208 was only applied to the former openvpn@.service (Debian packaging) but not the latter openvpn- server@.service (service files from upstream). Please correct this in the same releases as the older bug. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1828771 Title: Add CAP_AUDIT_WRITE to non-upstream services To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1828771/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
