Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
security/openvpn: create and use dedicated openvpn user
PR: 259384
- Loading branch information
Showing
7 changed files
with
89 additions
and
11 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
11 changes: 11 additions & 0 deletions
11
security/openvpn/files/patch-doc_man-sections_generic-options.rst
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
--- doc/man-sections/generic-options.rst.orig 2021-10-31 16:17:17 UTC | ||
+++ doc/man-sections/generic-options.rst | ||
@@ -431,7 +431,7 @@ which mode OpenVPN is configured as. | ||
able to gain control of an OpenVPN session. Though OpenVPN's security | ||
features make this unlikely, it is provided as a second line of defense. | ||
|
||
- By setting ``user`` to :code:`nobody` or somebody similarly unprivileged, | ||
+ By setting ``user`` to :code:`openvpn` or somebody similarly unprivileged, | ||
the hostile party would be limited in what damage they could cause. Of | ||
course once you take away privileges, you cannot return them to an | ||
OpenVPN session. This means, for example, that if you want to reset an |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
--- doc/openvpn.8.orig 2021-10-05 05:57:01 UTC | ||
+++ doc/openvpn.8 | ||
@@ -358,7 +358,7 @@ lower priority, \fBn\fP less than zero is higher prior | ||
.B \-\-persist\-key | ||
Don\(aqt re\-read key files across \fBSIGUSR1\fP or \fB\-\-ping\-restart\fP\&. | ||
.sp | ||
-This option can be combined with \fB\-\-user nobody\fP to allow restarts | ||
+This option can be combined with \fB\-\-user openvpn\fP to allow restarts | ||
triggered by the \fBSIGUSR1\fP signal. Normally if you drop root | ||
privileges in OpenVPN, the daemon cannot be restarted since it will now | ||
be unable to re\-read protected key files. | ||
@@ -577,7 +577,7 @@ useful to protect the system in the event that some ho | ||
able to gain control of an OpenVPN session. Though OpenVPN\(aqs security | ||
features make this unlikely, it is provided as a second line of defense. | ||
.sp | ||
-By setting \fBuser\fP to \fBnobody\fP or somebody similarly unprivileged, | ||
+By setting \fBuser\fP to \fBopenvpn\fP or somebody similarly unprivileged, | ||
the hostile party would be limited in what damage they could cause. Of | ||
course once you take away privileges, you cannot return them to an | ||
OpenVPN session. This means, for example, that if you want to reset an |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
--- doc/openvpn.8.html.orig 2021-10-05 05:57:01 UTC | ||
+++ doc/openvpn.8.html | ||
@@ -650,7 +650,7 @@ lower priority, <tt class="docutils literal">n</tt> le | ||
<tr><td class="option-group"> | ||
<kbd><span class="option">--persist-key</span></kbd></td> | ||
<td><p class="first">Don't re-read key files across <code>SIGUSR1</code> or <tt class="docutils literal"><span class="pre">--ping-restart</span></tt>.</p> | ||
-<p>This option can be combined with <tt class="docutils literal"><span class="pre">--user</span> nobody</tt> to allow restarts | ||
+<p>This option can be combined with <tt class="docutils literal"><span class="pre">--user</span> openvpn</tt> to allow restarts | ||
triggered by the <code>SIGUSR1</code> signal. Normally if you drop root | ||
privileges in OpenVPN, the daemon cannot be restarted since it will now | ||
be unable to re-read protected key files.</p> | ||
@@ -824,7 +824,7 @@ initialization, dropping privileges in the process. Th | ||
useful to protect the system in the event that some hostile party was | ||
able to gain control of an OpenVPN session. Though OpenVPN's security | ||
features make this unlikely, it is provided as a second line of defense.</p> | ||
-<p class="last">By setting <tt class="docutils literal">user</tt> to <code>nobody</code> or somebody similarly unprivileged, | ||
+<p class="last">By setting <tt class="docutils literal">user</tt> to <code>openvpn</code> or somebody similarly unprivileged, | ||
the hostile party would be limited in what damage they could cause. Of | ||
course once you take away privileges, you cannot return them to an | ||
OpenVPN session. This means, for example, that if you want to reset an |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,17 +1,34 @@ | ||
[ | ||
{ type: install | ||
message: <<EOM | ||
Edit /etc/rc.conf[.local] to start OpenVPN automatically at system | ||
startup. See %%PREFIX%%/etc/rc.d/openvpn for details. | ||
Edit /etc/rc.conf[.local] to start OpenVPN automatically at system | ||
startup. See %%PREFIX%%/etc/rc.d/openvpn for details. | ||
|
||
Connect to VPN server as a client with this command to include | ||
the client.up/down scripts in the initialization: | ||
openvpn-client <spec>.ovpn | ||
Connect to VPN server as a client with this command to include | ||
the client.up/down scripts in the initialization: | ||
openvpn-client <spec>.ovpn | ||
|
||
For compatibility notes when interoperating with older OpenVPN | ||
versions, please see <http://openvpn.net/relnotes.html> | ||
For compatibility notes when interoperating with older OpenVPN | ||
versions, please see <http://openvpn.net/relnotes.html> | ||
|
||
Note that OpenVPN does not officially support LibreSSL. | ||
Note that OpenVPN does not officially support LibreSSL. | ||
|
||
Note that OpenVPN configures a separate user and group "openvpn", | ||
which should be used instead of the NFS user "nobody" | ||
when an unprivileged user account is desired. | ||
|
||
You may want to add user openvpn and group openvpn when creating your | ||
configuration files, the example configuration shows this only as comments. | ||
EOM | ||
} | ||
{ type: upgrade | ||
message: <<EOM | ||
Note that OpenVPN now configures a separate user and group "openvpn", | ||
which should be used instead of the NFS user "nobody" | ||
when an unprivileged user account is desired. | ||
|
||
It is advisable to review existing configuration files and | ||
to consider adding/changing user openvpn and group openvpn. | ||
EOM | ||
} | ||
] |