[arch-dev-public] Preparing OpenVPN 2.4.x - possible incompatible changes

Tue Nov 29 16:38:57 UTC 2016

Giancarlo Razzolini <grazzolini at archlinux.org> on Tue, 2016/11/29 16:14:
> Em novembro 26, 2016 10:38 Christian Hesse escreveu:
> > Hello everybody,
> > 
> > a new OpenVPN stable release is being prepared, namely version 2.4.0.
> > Currently we have 2.4_beta2. I think about making changes to our package
> > that require user intervention.
> > 
> > We shipped a systemd unit file before OpenVPN upstream had one. Upstream
> > now has unit files, but two (for server and client) instead of just one.
> > I did backport some security features for our unit, but refused to
> > migrate to the upstream solution within the 2.3.x branch.
> > 
> > That could change with 2.4.0. Instead of openvpn at .service we would have
> > openvpn-server at .service and openvpn-client at .service. Additionally the
> > 'daemon' option is no longer allowed with the upstream units.
> > 
> > Any opinion about this change? Who can post news about this on the
> > website?
> > 
> > Stumbled about another fact... We define PLUGIN_LIBDIR, that allows to use
> > relative paths from that directory in configuration to call the plugins.
> > This path is '/usr/lib/openvpn' - plugins are installed to
> > '/usr/lib/openvpn/plugins', though. Any reason for that?  
> 
> Well,
> 
> I think it is good upstream is (finally) caring about the actual
> deployment of their software. I always found openvpn packaging
> odd on all the systems I used. On some, a user is created for
> running unprivileged. On others, everything is created and taken
> care of, including logging.
> 
> I do not oppose using whatever upstream is deploying, if it's
> rationale. I just think that we could create a system user for
> openvpn, even if most users will deploy it using root.

We need root privileges at initialization phase, no? Privileges are dropped
to nobody/nobody when initialization sequence completed.

If we can make things work with non-root system user... Let me know how to do
that. :D

> In that
> sense we would also (probably) need a /run/openvpn directory.

The new systemd units create this automatically. (Well,
actually /run/openvpn-client and /run/openvpn-server.)

> I managed to make openvpn work entirely unprivileged here and
> I plan on changing our wiki[0] on the matter (it's missing some
> info) and also the official documentation[1] do not account for
> systemd nor ip netns exec, which is a clear venue for privilege
> escalation. What do you guys think?

Just followed the link from our wiki [2]. Probably you can make this work,
but I am not convinced this can be packaged to work smoothly.
Dynamic device naming, up/route-up/... scripts, ... There is lot of stuff
that can and will break.

Still, if you have some clues on how to package this...

> [0]
> https://wiki.archlinux.org/index.php/OpenVPN#Drop_root_privileges_after_connecting
> [1]
> https://openvpn.net/index.php/open-source/documentation/howto.html#security

[2] https://community.openvpn.net/openvpn/wiki/UnprivilegedUser
-- 
main(a){char*c=/*    Schoene Gruesse                         */"B?IJj;MEH"
"CX:;",b;for(a/*    Best regards             my address:    */=0;b=c[a++];)
putchar(b-1/(/*    Chris            cc -ox -xc - && ./x    */b/42*2-3)*42);}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20161129/f0bb2281/attachment-0001.asc>