upgpkg: openvpn 2.5.0-2: use dedicated user with capabilities

git-svn-id: file:///srv/repos/svn-packages/svn@399566 eb2447ed-0c53-47e4-bac8-5bc4a241df78
archlinux · Nov 6, 2020 · 3da0f77 · 3da0f77
1 parent 80e8e64
commit 3da0f77
Show file tree

Hide file tree

Showing 5 changed files with 62 additions and 6 deletions.
diff --git a/trunk/0001-unprivileged.patch b/trunk/0001-unprivileged.patch
@@ -0,0 +1,28 @@
+diff --git a/distro/systemd/openvpn-client@.service.in b/distro/systemd/openvpn-client@.service.in
+index cbcef653..71aa1335 100644
+--- a/distro/systemd/openvpn-client@.service.in
++++ b/distro/systemd/openvpn-client@.service.in
+@@ -11,6 +11,9 @@ Type=notify
+ PrivateTmp=true
+ WorkingDirectory=/etc/openvpn/client
+ ExecStart=@sbindir@/openvpn --suppress-timestamps --nobind --config %i.conf
++User=openvpn
++Group=network
++AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
+ CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
+ LimitNPROC=10
+ DeviceAllow=/dev/null rw
+diff --git a/distro/systemd/openvpn-server@.service.in b/distro/systemd/openvpn-server@.service.in
+index d1cc72cb..691f369e 100644
+--- a/distro/systemd/openvpn-server@.service.in
++++ b/distro/systemd/openvpn-server@.service.in
+@@ -11,6 +11,9 @@ Type=notify
+ PrivateTmp=true
+ WorkingDirectory=/etc/openvpn/server
+ ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf
++User=openvpn
++Group=network
++AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
+ CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
+ LimitNPROC=10
+ DeviceAllow=/dev/null rw
diff --git a/trunk/PKGBUILD b/trunk/PKGBUILD
@@ -3,26 +3,36 @@
 pkgname=openvpn
 _tag='8c3dc0551390e92bfd5b2dc83d7502e7095b7325' # git rev-parse v${pkgver}
 pkgver=2.5.0
-pkgrel=1
+pkgrel=2
 pkgdesc='An easy-to-use, robust and highly configurable VPN (Virtual Private Network)'
 arch=('x86_64')
 url='https://openvpn.net/index.php/open-source.html'
+license=('custom')
 depends=('openssl' 'lzo' 'lz4' 'systemd-libs' 'libsystemd.so' 'pkcs11-helper' 'libpkcs11-helper.so')
 optdepends=('easy-rsa: easy CA and certificate handling'
             'pam: authenticate via PAM')
 makedepends=('git' 'systemd' 'python-docutils')
-license=('custom')
+install=openvpn.install
 validpgpkeys=('F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7'  # OpenVPN - Security Mailing List <security@openvpn.net>
               'B62E6A2B4E56570B7BDC6BE01D829EFECA562812') # Gert Doering <gert@v6.de>
-source=("git+https://github.com/OpenVPN/openvpn.git#tag=${_tag}?signed")
-sha256sums=('SKIP')
+source=("git+https://github.com/OpenVPN/openvpn.git#tag=${_tag}?signed"
+        '0001-unprivileged.patch'
+        'sysusers.conf'
+        'tmpfiles.conf')
+sha256sums=('SKIP'
+            '8e7d292514f30729bc37d6681789b1bfdf87a992a3aa77e2a28b8da9cd8d4bfe'
+            '3646b865ac67783fafc6652589cfe2a3105ecef06f3907f33de5135815f6a621'
+            'b1436f953a4f1be7083711d11928a9924993f940ff56ff92d288d6100df673fc')
 
 prepare() {
   cd "${srcdir}"/${pkgname}
 
   # https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19302.html
   sed -i '/^CONFIGURE_DEFINES=/s/set/env/g' configure.ac
 
+  # start with unprivileged user and keep granted privileges
+  patch -Np1 < ../0001-unprivileged.patch
+
   autoreconf --force --install
 }
 
@@ -52,8 +62,9 @@ package() {
   # Install openvpn
   make DESTDIR="${pkgdir}" install
 
-  # Create empty configuration directories
-  install -d -m0750 -g 90 "${pkgdir}"/etc/openvpn/{client,server}
+  # Install sysusers and tmpfiles files
+  install -D -m0644 ../sysusers.conf "${pkgdir}"/usr/lib/sysusers.d/openvpn.conf
+  install -D -m0644 ../tmpfiles.conf "${pkgdir}"/usr/lib/tmpfiles.d/openvpn.conf
 
   # Install license
   install -d -m0755 "${pkgdir}"/usr/share/licenses/openvpn/

diff --git a/trunk/openvpn.install b/trunk/openvpn.install
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+post_upgrade() {
+  # return if old package version greater 2.5.0-1...
+  (( $(vercmp $2 '2.5.0-1') > 0 )) && return
+
+  echo ':: OpenVPN now uses a netlink interface for network configuration. The systemd'
+  echo "   units start the process with a dedicated unprivileged user 'openvpn', with"
+  echo '   extra capabilitiesi(7). The configuration should no longer drop privileges,'
+  echo "   so remove 'user' and 'group' directives."
+  echo '   Scripts that require elevated privileges may need a workaround.'
+}
diff --git a/trunk/sysusers.conf b/trunk/sysusers.conf
@@ -0,0 +1 @@
+u openvpn - "OpenVPN"
diff --git a/trunk/tmpfiles.conf b/trunk/tmpfiles.conf
@@ -0,0 +1,4 @@
+d /etc/openvpn/client 0750 openvpn network -
+d /etc/openvpn/server 0750 openvpn network -
+d /run/openvpn-client 0750 openvpn network -
+d /run/openvpn-server 0750 openvpn network -