security/openvpn: create and use dedicated openvpn user

PR: 259384
freebsd · Nov 1, 2021 · bb6ec07 · bb6ec07
1 parent f206959
commit bb6ec07
Show file tree

Hide file tree

Showing 7 changed files with 89 additions and 11 deletions.
diff --git a/GIDs b/GIDs
@@ -240,7 +240,7 @@ conduit:*:297:
 neolink:*:298:
 owncast:*:299:
 backuppc:*:300:
-# free: 301
+openvpn:*:301:
 netdata:*:302:
 # free: 303
 # free: 304

diff --git a/UIDs b/UIDs
@@ -245,7 +245,7 @@ conduit:*:297:297::0:0:Conduit daemon:/var/db/conduit:/usr/sbin/nologin
 neolink:*:298:298::0:0:& daemon:/nonexistent:/usr/sbin/nologin
 owncast:*:299:299::0:0:& daemon:/nonexistent:/usr/sbin/nologin
 backuppc:*:300:300::0:0:BackupPC pseudo-user:/nonexistent:/usr/sbin/nologin
-# free: 301
+openvpn:*:301:301::0:0:OpenVPN pseudo-user:/nonexistent:/usr/sbin/nologin
 netdata:*:302:302::0:0:NetData Daemon:/var/cache/netdata:/usr/sbin/nologin
 # free: 303
 # free: 304

diff --git a/security/openvpn/Makefile b/security/openvpn/Makefile
@@ -2,7 +2,7 @@
 
 PORTNAME=		openvpn
 DISTVERSION=		2.5.4
-PORTREVISION?=		0
+PORTREVISION?=		1
 CATEGORIES=		security net net-vpn
 MASTER_SITES=		https://swupdate.openvpn.org/community/releases/ \
 			https://build.openvpn.net/downloads/releases/ \
@@ -21,6 +21,9 @@ SHEBANG_FILES=		sample/sample-scripts/verify-cn \
 			sample/sample-scripts/auth-pam.pl \
 			sample/sample-scripts/ucn.pl
 
+USERS=			openvpn
+GROUPS=			openvpn
+
 GNU_CONFIGURE=		yes
 CONFIGURE_ARGS+=	--enable-strict
 # set PLUGIN_LIBDIR so that unqualified plugin paths are found:
@@ -119,6 +122,13 @@ pre-configure:
 	@${ECHO} "### --------------------------------------------------------- ###"
 .endif
 
+post-patch:
+	${REINPLACE_CMD} -E -i '' -e 's/(user|group) nobody/\1 openvpn/' \
+		-e 's/"nobody"( after init)/"openvpn" \1/' \
+		${WRKSRC}/sample/sample-config-files/*.conf \
+		${WRKSRC}/sample/sample-config-files/xinetd-*-config \
+		${WRKSRC}/doc/man-sections/generic-options.rst
+
 post-configure:
 	${REINPLACE_CMD} '/^CFLAGS =/s/$$/ -fPIC/' \
 	    ${WRKSRC}/src/plugins/auth-pam/Makefile \

diff --git a/security/openvpn/files/patch-doc_man-sections_generic-options.rst b/security/openvpn/files/patch-doc_man-sections_generic-options.rst
@@ -0,0 +1,11 @@
+--- doc/man-sections/generic-options.rst.orig	2021-10-31 16:17:17 UTC
++++ doc/man-sections/generic-options.rst
+@@ -431,7 +431,7 @@ which mode OpenVPN is configured as.
+   able to gain control of an OpenVPN session. Though OpenVPN's security
+   features make this unlikely, it is provided as a second line of defense.
+
+-  By setting ``user`` to :code:`nobody` or somebody similarly unprivileged,
++  By setting ``user`` to :code:`openvpn` or somebody similarly unprivileged,
+   the hostile party would be limited in what damage they could cause. Of
+   course once you take away privileges, you cannot return them to an
+   OpenVPN session. This means, for example, that if you want to reset an
diff --git a/security/openvpn/files/patch-doc_openvpn.8 b/security/openvpn/files/patch-doc_openvpn.8
@@ -0,0 +1,20 @@
+--- doc/openvpn.8.orig	2021-10-05 05:57:01 UTC
++++ doc/openvpn.8
+@@ -358,7 +358,7 @@ lower priority, \fBn\fP less than zero is higher prior
+ .B \-\-persist\-key
+ Don\(aqt re\-read key files across \fBSIGUSR1\fP or \fB\-\-ping\-restart\fP\&.
+ .sp
+-This option can be combined with \fB\-\-user nobody\fP to allow restarts
++This option can be combined with \fB\-\-user openvpn\fP to allow restarts
+ triggered by the \fBSIGUSR1\fP signal. Normally if you drop root
+ privileges in OpenVPN, the daemon cannot be restarted since it will now
+ be unable to re\-read protected key files.
+@@ -577,7 +577,7 @@ useful to protect the system in the event that some ho
+ able to gain control of an OpenVPN session. Though OpenVPN\(aqs security
+ features make this unlikely, it is provided as a second line of defense.
+ .sp
+-By setting \fBuser\fP to \fBnobody\fP or somebody similarly unprivileged,
++By setting \fBuser\fP to \fBopenvpn\fP or somebody similarly unprivileged,
+ the hostile party would be limited in what damage they could cause. Of
+ course once you take away privileges, you cannot return them to an
+ OpenVPN session. This means, for example, that if you want to reset an
diff --git a/security/openvpn/files/patch-doc_openvpn.8.html b/security/openvpn/files/patch-doc_openvpn.8.html
@@ -0,0 +1,20 @@
+--- doc/openvpn.8.html.orig	2021-10-05 05:57:01 UTC
++++ doc/openvpn.8.html
+@@ -650,7 +650,7 @@ lower priority, <tt class="docutils literal">n</tt> le
+ <tr><td class="option-group">
+ <kbd><span class="option">--persist-key</span></kbd></td>
+ <td><p class="first">Don't re-read key files across <code>SIGUSR1</code> or <tt class="docutils literal"><span class="pre">--ping-restart</span></tt>.</p>
+-<p>This option can be combined with <tt class="docutils literal"><span class="pre">--user</span> nobody</tt> to allow restarts
++<p>This option can be combined with <tt class="docutils literal"><span class="pre">--user</span> openvpn</tt> to allow restarts
+ triggered by the <code>SIGUSR1</code> signal. Normally if you drop root
+ privileges in OpenVPN, the daemon cannot be restarted since it will now
+ be unable to re-read protected key files.</p>
+@@ -824,7 +824,7 @@ initialization, dropping privileges in the process. Th
+ useful to protect the system in the event that some hostile party was
+ able to gain control of an OpenVPN session. Though OpenVPN's security
+ features make this unlikely, it is provided as a second line of defense.</p>
+-<p class="last">By setting <tt class="docutils literal">user</tt> to <code>nobody</code> or somebody similarly unprivileged,
++<p class="last">By setting <tt class="docutils literal">user</tt> to <code>openvpn</code> or somebody similarly unprivileged,
+ the hostile party would be limited in what damage they could cause. Of
+ course once you take away privileges, you cannot return them to an
+ OpenVPN session. This means, for example, that if you want to reset an
diff --git a/security/openvpn/files/pkg-message.in b/security/openvpn/files/pkg-message.in
@@ -1,17 +1,34 @@
 [
 { type: install
   message: <<EOM
-  Edit /etc/rc.conf[.local] to start OpenVPN automatically at system
-  startup. See %%PREFIX%%/etc/rc.d/openvpn for details.
+Edit /etc/rc.conf[.local] to start OpenVPN automatically at system
+startup. See %%PREFIX%%/etc/rc.d/openvpn for details.
 
-  Connect to VPN server as a client with this command to include
-  the client.up/down scripts in the initialization:
-  openvpn-client <spec>.ovpn
+Connect to VPN server as a client with this command to include
+the client.up/down scripts in the initialization:
+openvpn-client <spec>.ovpn
 
-  For compatibility notes when interoperating with older OpenVPN
-  versions, please see <http://openvpn.net/relnotes.html>
+For compatibility notes when interoperating with older OpenVPN
+versions, please see <http://openvpn.net/relnotes.html>
 
-  Note that OpenVPN does not officially support LibreSSL.
+Note that OpenVPN does not officially support LibreSSL.
+
+Note that OpenVPN configures a separate user and group "openvpn",
+which should be used instead of the NFS user "nobody"
+when an unprivileged user account is desired.
+
+You may want to add user openvpn and group openvpn when creating your
+configuration files, the example configuration shows this only as comments.
+EOM
+}
+{ type: upgrade
+  message: <<EOM
+Note that OpenVPN now configures a separate user and group "openvpn",
+which should be used instead of the NFS user "nobody"
+when an unprivileged user account is desired.
+
+It is advisable to review existing configuration files and
+to consider adding/changing user openvpn and group openvpn.
 EOM
 }
 ]