[arch-dev-public] Preparing OpenVPN 2.4.x - possible incompatible changes

Giancarlo Razzolini grazzolini at archlinux.org
Tue Nov 29 16:14:31 UTC 2016 

Em novembro 26, 2016 10:38 Christian Hesse escreveu:
> Hello everybody,
> 
> a new OpenVPN stable release is being prepared, namely version 2.4.0.
> Currently we have 2.4_beta2. I think about making changes to our package that
> require user intervention.
> 
> We shipped a systemd unit file before OpenVPN upstream had one. Upstream now
> has unit files, but two (for server and client) instead of just one. I did
> backport some security features for our unit, but refused to migrate to the
> upstream solution within the 2.3.x branch.
> 
> That could change with 2.4.0. Instead of openvpn at .service we would have
> openvpn-server at .service and openvpn-client at .service. Additionally the
> 'daemon' option is no longer allowed with the upstream units.
> 
> Any opinion about this change? Who can post news about this on the website?
> 
> Stumbled about another fact... We define PLUGIN_LIBDIR, that allows to use
> relative paths from that directory in configuration to call the plugins. This
> path is '/usr/lib/openvpn' - plugins are installed to
> '/usr/lib/openvpn/plugins', though. Any reason for that?

Well,

        I think it is good upstream is (finally) caring about the actual
        deployment of their software. I always found openvpn packaging
        odd on all the systems I used. On some, a user is created for
        running unprivileged. On others, everything is created and taken
        care of, including logging.

        I do not oppose using whatever upstream is deploying, if it's
        rationale. I just think that we could create a system user for
        openvpn, even if most users will deploy it using root. In that
        sense we would also (probably) need a /run/openvpn directory.

        I managed to make openvpn work entirely unprivileged here and
        I plan on changing our wiki[0] on the matter (it's missing some
        info) and also the official documentation[1] do not account for
        systemd nor ip netns exec, which is a clear venue for privilege
        escalation. What do you guys think?

Cheers,
Giancarlo Razzolini

[0] https://wiki.archlinux.org/index.php/OpenVPN#Drop_root_privileges_after_connecting
[1] https://openvpn.net/index.php/open-source/documentation/howto.html#security
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 870 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20161129/c87af18e/attachment.asc>

More information about the arch-dev-public mailing list