This repository has been archived by the owner on May 20, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 251
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
upgpkg: openvpn 2.5.0-2: use dedicated user with capabilities
git-svn-id: file:///srv/repos/svn-packages/svn@399566 eb2447ed-0c53-47e4-bac8-5bc4a241df78
- Loading branch information
eworm
authored and
svntogit
committed
Nov 6, 2020
1 parent
80e8e64
commit 3da0f77
Showing
5 changed files
with
62 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
diff --git a/distro/systemd/openvpn-client@.service.in b/distro/systemd/openvpn-client@.service.in | ||
index cbcef653..71aa1335 100644 | ||
--- a/distro/systemd/openvpn-client@.service.in | ||
+++ b/distro/systemd/openvpn-client@.service.in | ||
@@ -11,6 +11,9 @@ Type=notify | ||
PrivateTmp=true | ||
WorkingDirectory=/etc/openvpn/client | ||
ExecStart=@sbindir@/openvpn --suppress-timestamps --nobind --config %i.conf | ||
+User=openvpn | ||
+Group=network | ||
+AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE | ||
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE | ||
LimitNPROC=10 | ||
DeviceAllow=/dev/null rw | ||
diff --git a/distro/systemd/openvpn-server@.service.in b/distro/systemd/openvpn-server@.service.in | ||
index d1cc72cb..691f369e 100644 | ||
--- a/distro/systemd/openvpn-server@.service.in | ||
+++ b/distro/systemd/openvpn-server@.service.in | ||
@@ -11,6 +11,9 @@ Type=notify | ||
PrivateTmp=true | ||
WorkingDirectory=/etc/openvpn/server | ||
ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf | ||
+User=openvpn | ||
+Group=network | ||
+AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE | ||
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE | ||
LimitNPROC=10 | ||
DeviceAllow=/dev/null rw |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
#!/bin/sh | ||
|
||
post_upgrade() { | ||
# return if old package version greater 2.5.0-1... | ||
(( $(vercmp $2 '2.5.0-1') > 0 )) && return | ||
|
||
echo ':: OpenVPN now uses a netlink interface for network configuration. The systemd' | ||
echo " units start the process with a dedicated unprivileged user 'openvpn', with" | ||
echo ' extra capabilitiesi(7). The configuration should no longer drop privileges,' | ||
echo " so remove 'user' and 'group' directives." | ||
echo ' Scripts that require elevated privileges may need a workaround.' | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
u openvpn - "OpenVPN" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
d /etc/openvpn/client 0750 openvpn network - | ||
d /etc/openvpn/server 0750 openvpn network - | ||
d /run/openvpn-client 0750 openvpn network - | ||
d /run/openvpn-server 0750 openvpn network - |