[arch-commits] Commit in openvpn/trunk (5 files)
Christian Hesse
eworm at archlinux.org
Fri Nov 6 07:02:11 UTC 2020
Date: Friday, November 6, 2020 @ 07:02:10
Author: eworm
Revision: 399566
upgpkg: openvpn 2.5.0-2: use dedicated user with capabilities
Added:
openvpn/trunk/0001-unprivileged.patch
openvpn/trunk/openvpn.install
openvpn/trunk/sysusers.conf
openvpn/trunk/tmpfiles.conf
Modified:
openvpn/trunk/PKGBUILD
-------------------------+
0001-unprivileged.patch | 28 ++++++++++++++++++++++++++++
PKGBUILD | 23 +++++++++++++++++------
openvpn.install | 12 ++++++++++++
sysusers.conf | 1 +
tmpfiles.conf | 4 ++++
5 files changed, 62 insertions(+), 6 deletions(-)
Added: 0001-unprivileged.patch
===================================================================
--- 0001-unprivileged.patch (rev 0)
+++ 0001-unprivileged.patch 2020-11-06 07:02:10 UTC (rev 399566)
@@ -0,0 +1,28 @@
+diff --git a/distro/systemd/openvpn-client at .service.in b/distro/systemd/openvpn-client at .service.in
+index cbcef653..71aa1335 100644
+--- a/distro/systemd/openvpn-client at .service.in
++++ b/distro/systemd/openvpn-client at .service.in
+@@ -11,6 +11,9 @@ Type=notify
+ PrivateTmp=true
+ WorkingDirectory=/etc/openvpn/client
+ ExecStart=@sbindir@/openvpn --suppress-timestamps --nobind --config %i.conf
++User=openvpn
++Group=network
++AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
+ CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
+ LimitNPROC=10
+ DeviceAllow=/dev/null rw
+diff --git a/distro/systemd/openvpn-server at .service.in b/distro/systemd/openvpn-server at .service.in
+index d1cc72cb..691f369e 100644
+--- a/distro/systemd/openvpn-server at .service.in
++++ b/distro/systemd/openvpn-server at .service.in
+@@ -11,6 +11,9 @@ Type=notify
+ PrivateTmp=true
+ WorkingDirectory=/etc/openvpn/server
+ ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf
++User=openvpn
++Group=network
++AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
+ CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
+ LimitNPROC=10
+ DeviceAllow=/dev/null rw
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2020-11-05 23:12:50 UTC (rev 399565)
+++ PKGBUILD 2020-11-06 07:02:10 UTC (rev 399566)
@@ -3,19 +3,26 @@
pkgname=openvpn
_tag='8c3dc0551390e92bfd5b2dc83d7502e7095b7325' # git rev-parse v${pkgver}
pkgver=2.5.0
-pkgrel=1
+pkgrel=2
pkgdesc='An easy-to-use, robust and highly configurable VPN (Virtual Private Network)'
arch=('x86_64')
url='https://openvpn.net/index.php/open-source.html'
+license=('custom')
depends=('openssl' 'lzo' 'lz4' 'systemd-libs' 'libsystemd.so' 'pkcs11-helper' 'libpkcs11-helper.so')
optdepends=('easy-rsa: easy CA and certificate handling'
'pam: authenticate via PAM')
makedepends=('git' 'systemd' 'python-docutils')
-license=('custom')
+install=openvpn.install
validpgpkeys=('F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7' # OpenVPN - Security Mailing List <security at openvpn.net>
'B62E6A2B4E56570B7BDC6BE01D829EFECA562812') # Gert Doering <gert at v6.de>
-source=("git+https://github.com/OpenVPN/openvpn.git#tag=${_tag}?signed")
-sha256sums=('SKIP')
+source=("git+https://github.com/OpenVPN/openvpn.git#tag=${_tag}?signed"
+ '0001-unprivileged.patch'
+ 'sysusers.conf'
+ 'tmpfiles.conf')
+sha256sums=('SKIP'
+ '8e7d292514f30729bc37d6681789b1bfdf87a992a3aa77e2a28b8da9cd8d4bfe'
+ '3646b865ac67783fafc6652589cfe2a3105ecef06f3907f33de5135815f6a621'
+ 'b1436f953a4f1be7083711d11928a9924993f940ff56ff92d288d6100df673fc')
prepare() {
cd "${srcdir}"/${pkgname}
@@ -23,6 +30,9 @@
# https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19302.html
sed -i '/^CONFIGURE_DEFINES=/s/set/env/g' configure.ac
+ # start with unprivileged user and keep granted privileges
+ patch -Np1 < ../0001-unprivileged.patch
+
autoreconf --force --install
}
@@ -52,8 +62,9 @@
# Install openvpn
make DESTDIR="${pkgdir}" install
- # Create empty configuration directories
- install -d -m0750 -g 90 "${pkgdir}"/etc/openvpn/{client,server}
+ # Install sysusers and tmpfiles files
+ install -D -m0644 ../sysusers.conf "${pkgdir}"/usr/lib/sysusers.d/openvpn.conf
+ install -D -m0644 ../tmpfiles.conf "${pkgdir}"/usr/lib/tmpfiles.d/openvpn.conf
# Install license
install -d -m0755 "${pkgdir}"/usr/share/licenses/openvpn/
Added: openvpn.install
===================================================================
--- openvpn.install (rev 0)
+++ openvpn.install 2020-11-06 07:02:10 UTC (rev 399566)
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+post_upgrade() {
+ # return if old package version greater 2.5.0-1...
+ (( $(vercmp $2 '2.5.0-1') > 0 )) && return
+
+ echo ':: OpenVPN now uses a netlink interface for network configuration. The systemd'
+ echo " units start the process with a dedicated unprivileged user 'openvpn', with"
+ echo ' extra capabilitiesi(7). The configuration should no longer drop privileges,'
+ echo " so remove 'user' and 'group' directives."
+ echo ' Scripts that require elevated privileges may need a workaround.'
+}
Added: sysusers.conf
===================================================================
--- sysusers.conf (rev 0)
+++ sysusers.conf 2020-11-06 07:02:10 UTC (rev 399566)
@@ -0,0 +1 @@
+u openvpn - "OpenVPN"
Added: tmpfiles.conf
===================================================================
--- tmpfiles.conf (rev 0)
+++ tmpfiles.conf 2020-11-06 07:02:10 UTC (rev 399566)
@@ -0,0 +1,4 @@
+d /etc/openvpn/client 0750 openvpn network -
+d /etc/openvpn/server 0750 openvpn network -
+d /run/openvpn-client 0750 openvpn network -
+d /run/openvpn-server 0750 openvpn network -
More information about the arch-commits
mailing list