New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal: Run under preconfigured user #168
Conversation
Signed-off-by: Pieter <110168856+Pionerd@users.noreply.github.com>
Signed-off-by: Pieter <110168856+Pionerd@users.noreply.github.com>
Signed-off-by: Pieter <110168856+Pionerd@users.noreply.github.com>
Signed-off-by: Pieter <110168856+Pionerd@users.noreply.github.com>
Signed-off-by: Pieter <110168856+Pionerd@users.noreply.github.com>
Signed-off-by: Pieter <110168856+Pionerd@users.noreply.github.com>
Signed-off-by: Pieter <110168856+Pionerd@users.noreply.github.com>
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #168 +/- ##
=======================================
Coverage 72.54% 72.54%
=======================================
Files 48 48
Lines 1872 1872
=======================================
Hits 1358 1358
Misses 430 430
Partials 84 84 ☔ View full report in Codecov by Sentry. |
At least to this file, openvpn-auth-oauth2 does not need access, since the parsed by systemd and all values are passed as environment variables. Before falling back to old (and good-ish) pattern, I would like to keep on the DynamicUser approach. At least I will also take this to get some experience with it. I guess the use case that you described the also the use-case for the systemd option
What I personally like it that since systemd 251, At the moment, For example, /etc/openvpn-auth-oauth2/server.key should be available as I may have to implement a logic with look-up for To move forward on your site, you could setup a |
Understood. As long as I can lock down the mentioned files (also including the server certificates's private key) I'm all for it. |
Whats the systemd version on your system? |
systemd 249 (249.11-0ubuntu3.12)
From: Jan-Otto Kröpke ***@***.***>
Date: Monday, 12 February 2024 at 19:12
To: jkroepke/openvpn-auth-oauth2 ***@***.***>
Cc: Pieter van der Giessen ***@***.***>, Author ***@***.***>
Subject: Re: [jkroepke/openvpn-auth-oauth2] Proposal: Run under preconfigured user (PR #168)
Whats the systemd version on your system?
—
Reply to this email directly, view it on GitHub<#168 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/A2IQWGHPGKKZPZW6VKIKSR3YTJLQ7AVCNFSM6AAAAABDFCCXLSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMZZGI3TSOBWGM>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
So |
I am not bound to that version (I can easily upgrade if desired for your component), but I don’t know to what extent you want to support “older” systems for other users
From: Jan-Otto Kröpke ***@***.***>
Date: Monday, 12 February 2024 at 19:17
To: jkroepke/openvpn-auth-oauth2 ***@***.***>
Cc: Pieter van der Giessen ***@***.***>, Author ***@***.***>
Subject: Re: [jkroepke/openvpn-auth-oauth2] Proposal: Run under preconfigured user (PR #168)
So LoadCredential may requires systemd 251 anyways, it may not work in your case.
—
Reply to this email directly, view it on GitHub<#168 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/A2IQWGFEX5M74QUXSD5OUKDYTJMC5AVCNFSM6AAAAABDFCCXLSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMZZGI4DOMBRGI>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
Would a group sufficient, too? Files could be lockdown to |
Yes, that would also be fine, but we also cannot do that when your component is not running:
|
#169 will create a permanent system group with fixed gid that should resolve the issue. |
I would like to ask you @Pionerd, if you could test https://github.com/jkroepke/openvpn-auth-oauth2/releases/tag/v1.16.0-rc.2 on your side? |
@jkroepke I was already trying that yesterday, while refactoring my installation script to incorporate the ownership changes. So I do expect my current setup to fail, but I no longer get any details why it's failing in the new setup. Journalcl output:
I have to add: I also did try to change from the config.yaml
/etc/sysconfig/openvpn-auth-oauth2
Please let me know how I can see errors/misconfigurations in your component again |
Oops. Thats something, non configurational related. This indicates more a faulty-binary and the root cause could be changes how I compile the binary one. In this case. it would helpful to run the binary without systemd first, e.g. directly from console. |
What this PR does / why we need it
Currently, the
openvpn-auth-oauth2
service runs under aDynamicUser
which means that rights can not reliably be given to the user.This is necessary for locking down:
Special notes for your reviewer
I'm not sure if this is the way to go, since ideally you want to run under the nobody user, but in that case I still don't know how to grant the correct permissions to the above files.
I also am not an expert on packaging, so I have not been able to test this. Mainly as a start of the discussion.
Particularly user-facing changes
Checklist
Complete these before marking the PR as
ready to review
: