Giancarlo Razzolini <grazzolini@archlinux.org> on Tue, 2016/11/29 16:14:
Em novembro 26, 2016 10:38 Christian Hesse escreveu:
Hello everybody,
a new OpenVPN stable release is being prepared, namely version 2.4.0. Currently we have 2.4_beta2. I think about making changes to our package that require user intervention.
We shipped a systemd unit file before OpenVPN upstream had one. Upstream now has unit files, but two (for server and client) instead of just one. I did backport some security features for our unit, but refused to migrate to the upstream solution within the 2.3.x branch.
That could change with 2.4.0. Instead of openvpn@.service we would have openvpn-server@.service and openvpn-client@.service. Additionally the 'daemon' option is no longer allowed with the upstream units.
Any opinion about this change? Who can post news about this on the website?
Stumbled about another fact... We define PLUGIN_LIBDIR, that allows to use relative paths from that directory in configuration to call the plugins. This path is '/usr/lib/openvpn' - plugins are installed to '/usr/lib/openvpn/plugins', though. Any reason for that?
Well,
I think it is good upstream is (finally) caring about the actual deployment of their software. I always found openvpn packaging odd on all the systems I used. On some, a user is created for running unprivileged. On others, everything is created and taken care of, including logging.
I do not oppose using whatever upstream is deploying, if it's rationale. I just think that we could create a system user for openvpn, even if most users will deploy it using root.
We need root privileges at initialization phase, no? Privileges are dropped to nobody/nobody when initialization sequence completed. If we can make things work with non-root system user... Let me know how to do that. :D
In that sense we would also (probably) need a /run/openvpn directory.
The new systemd units create this automatically. (Well, actually /run/openvpn-client and /run/openvpn-server.)
I managed to make openvpn work entirely unprivileged here and I plan on changing our wiki[0] on the matter (it's missing some info) and also the official documentation[1] do not account for systemd nor ip netns exec, which is a clear venue for privilege escalation. What do you guys think?
Just followed the link from our wiki [2]. Probably you can make this work, but I am not convinced this can be packaged to work smoothly. Dynamic device naming, up/route-up/... scripts, ... There is lot of stuff that can and will break. Still, if you have some clues on how to package this...
[0] https://wiki.archlinux.org/index.php/OpenVPN#Drop_root_privileges_after_conn... [1] https://openvpn.net/index.php/open-source/documentation/howto.html#security
[2] https://community.openvpn.net/openvpn/wiki/UnprivilegedUser -- main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH" "CX:;",b;for(a/* Best regards my address: */=0;b=c[a++];) putchar(b-1/(/* Chris cc -ox -xc - && ./x */b/42*2-3)*42);}