[arch-dev-public] Preparing OpenVPN 2.4.x - possible incompatible changes
grazzolini at archlinux.org
Tue Nov 29 16:14:31 UTC 2016
Em novembro 26, 2016 10:38 Christian Hesse escreveu:
> Hello everybody,
> a new OpenVPN stable release is being prepared, namely version 2.4.0.
> Currently we have 2.4_beta2. I think about making changes to our package that
> require user intervention.
> We shipped a systemd unit file before OpenVPN upstream had one. Upstream now
> has unit files, but two (for server and client) instead of just one. I did
> backport some security features for our unit, but refused to migrate to the
> upstream solution within the 2.3.x branch.
> That could change with 2.4.0. Instead of openvpn at .service we would have
> openvpn-server at .service and openvpn-client at .service. Additionally the
> 'daemon' option is no longer allowed with the upstream units.
> Any opinion about this change? Who can post news about this on the website?
> Stumbled about another fact... We define PLUGIN_LIBDIR, that allows to use
> relative paths from that directory in configuration to call the plugins. This
> path is '/usr/lib/openvpn' - plugins are installed to
> '/usr/lib/openvpn/plugins', though. Any reason for that?
I think it is good upstream is (finally) caring about the actual
deployment of their software. I always found openvpn packaging
odd on all the systems I used. On some, a user is created for
running unprivileged. On others, everything is created and taken
care of, including logging.
I do not oppose using whatever upstream is deploying, if it's
rationale. I just think that we could create a system user for
openvpn, even if most users will deploy it using root. In that
sense we would also (probably) need a /run/openvpn directory.
I managed to make openvpn work entirely unprivileged here and
I plan on changing our wiki on the matter (it's missing some
info) and also the official documentation do not account for
systemd nor ip netns exec, which is a clear venue for privilege
escalation. What do you guys think?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 870 bytes
Desc: not available
More information about the arch-dev-public