Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proposal: Run under preconfigured user #168

Closed
wants to merge 8 commits into from
Closed

Proposal: Run under preconfigured user #168

wants to merge 8 commits into from

Conversation

Pionerd
Copy link
Contributor

@Pionerd Pionerd commented Feb 12, 2024

What this PR does / why we need it

Currently, the openvpn-auth-oauth2 service runs under a DynamicUser which means that rights can not reliably be given to the user.
This is necessary for locking down:

  • the Service Account JSON file containing SA credentials
  • server certificates
  • maybe also /etc/sysconfig/openvpn-auth-oauth2?

Special notes for your reviewer

I'm not sure if this is the way to go, since ideally you want to run under the nobody user, but in that case I still don't know how to grant the correct permissions to the above files.

I also am not an expert on packaging, so I have not been able to test this. Mainly as a start of the discussion.

Particularly user-facing changes

Checklist

Complete these before marking the PR as ready to review:

  • DCO signed
  • The PR title has a summary of the changes
  • The PR body has a summary to reflect any significant (and particularly user-facing) changes introduced by this PR

@Pionerd
Set default user
7b0447f 
Signed-off-by: Pieter <110168856+Pionerd@users.noreply.github.com>
@Pionerd
Create user
c2e6d84 
Signed-off-by: Pieter <110168856+Pionerd@users.noreply.github.com>
@Pionerd
Delete user
053594f 
Signed-off-by: Pieter <110168856+Pionerd@users.noreply.github.com>
@Pionerd
Naming convention
1dbbc49 
Signed-off-by: Pieter <110168856+Pionerd@users.noreply.github.com>
@Pionerd
Naming convention
bfaae5f 
Signed-off-by: Pieter <110168856+Pionerd@users.noreply.github.com>
@Pionerd
typo
d79e62f 
Signed-off-by: Pieter <110168856+Pionerd@users.noreply.github.com>
@Pionerd
Update postinstall.sh
b28ed58 
Signed-off-by: Pieter <110168856+Pionerd@users.noreply.github.com>
@Pionerd
Update preremove.sh
625a912 
Signed-off-by: Pieter <110168856+Pionerd@users.noreply.github.com>
@codecov Codecov
Copy link

codecov bot commented Feb 12, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (ca5aefa) 72.54% compared to head (625a912) 72.54%.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #168   +/-   ##
=======================================
  Coverage   72.54%   72.54%           
=======================================
  Files          48       48           
  Lines        1872     1872           
=======================================
  Hits         1358     1358           
  Misses        430      430           
  Partials       84       84

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@jkroepke
Copy link
Owner

jkroepke commented Feb 12, 2024
edited

  • maybe also /etc/sysconfig/openvpn-auth-oauth2?

At least to this file, openvpn-auth-oauth2 does not need access, since the parsed by systemd and all values are passed as environment variables.

Before falling back to old (and good-ish) pattern, I would like to keep on the DynamicUser approach. At least I will also take this to get some experience with it.

I guess the use case that you described the also the use-case for the systemd option

LoadCredential=
Pass a credential to the unit. Credentials are limited-size binary or textual objects that may be passed to unit processes. They are primarily used for passing cryptographic keys (both public and private) or certificates, user account information or identity information from host to services. The data is accessible from the unit's processes via the file system, at a read-only location that (if possible and permitted) is backed by non-swappable memory. The data is only accessible to the user associated with the unit, via the User=/DynamicUser= settings (as well as the superuser). When available, the location of credentials is exported as the $CREDENTIALS_DIRECTORY environment variable to the unit's processes.

What I personally like it that since systemd 251, LoadCredentialEncrypted exists which allows to store the Service Account JSON file containing SA credentials in encrypted form, encrypted with the systems TPM and without the gpg hussle.

At the moment, LoadCredential=/etc/openvpn-auth-oauth2/ should work here and systemd should handle the rest without doing manual chown.

For example, /etc/openvpn-auth-oauth2/server.key should be available as $CREDENTIALS_DIRECTORY/server.key.

I may have to implement a logic with look-up for $CREDENTIALS_DIRECTORY then.

To move forward on your site, you could setup a /etc/systemd/service/openvpn-auth-oauth2.service.d/override.conf which does a partial override of the unit file.

@Pionerd
Copy link
Contributor Author

Pionerd commented Feb 12, 2024

Understood. As long as I can lock down the mentioned files (also including the server certificates's private key) I'm all for it.

@jkroepke jkroepke marked this pull request as draft February 12, 2024 17:33
@jkroepke
Copy link
Owner

Whats the systemd version on your system?

@Pionerd
Copy link
Contributor Author

Pionerd commented Feb 12, 2024 via email

@jkroepke
Copy link
Owner

So LoadCredential may requires systemd 251 anyways, it may not work in your case.

@Pionerd
Copy link
Contributor Author

Pionerd commented Feb 12, 2024 via email

@jkroepke
Copy link
Owner

Would a group sufficient, too?

Files could be lockdown to root:openvpn-auth-oauth2

@Pionerd
Copy link
Contributor Author

Pionerd commented Feb 12, 2024
edited

Yes, that would also be fine, but we also cannot do that when your component is not running:

root@xx:/tmp# chown :openvpn-auth-oauth2 testfile.txt
chown: invalid group: ‘:openvpn-auth-oauth2’

@jkroepke
Copy link
Owner

#169 will create a permanent system group with fixed gid that should resolve the issue.

@jkroepke jkroepke mentioned this pull request Feb 12, 2024
Merged
3 tasks
@jkroepke
Copy link
Owner

I would like to ask you @Pionerd, if you could test https://github.com/jkroepke/openvpn-auth-oauth2/releases/tag/v1.16.0-rc.2 on your side?

@Pionerd
Copy link
Contributor Author

Pionerd commented Feb 14, 2024

@jkroepke I was already trying that yesterday, while refactoring my installation script to incorporate the ownership changes. So I do expect my current setup to fail, but I no longer get any details why it's failing in the new setup. Journalcl output:

Feb 14 11:24:28 shared-hub-vpn-gateway systemd[1]: Started OpenVPN authenticator.
░░ Subject: A start job for unit openvpn-auth-oauth2.service has finished successfully
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ A start job for unit openvpn-auth-oauth2.service has finished successfully.
░░ 
░░ The job identifier is 871563.
Feb 14 11:24:28 shared-hub-vpn-gateway systemd[1]: openvpn-auth-oauth2.service: Main process exited, code=dumped, status=31/SYS
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ An ExecStart= process belonging to unit openvpn-auth-oauth2.service has exited.
░░ 
░░ The process' exit code is 'dumped' and its exit status is 31.
Feb 14 11:24:28 shared-hub-vpn-gateway systemd[1]: openvpn-auth-oauth2.service: Failed with result 'core-dump'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ The unit openvpn-auth-oauth2.service has entered the 'failed' state with result 'core-dump'.

I have to add: I also did try to change from the /etc/sysconfig/openvpn-auth-oauth2 file to /etc/openvpn-auth-oauth2/config.yaml

config.yaml

-rw-r-----   1 root openvpn-auth-oauth2  851 Feb 14 11:25 config.yaml

log:
  format: console
  level: INFO
http:
  baseurl: "https://xx:9000"
  cert: "/etc/openvpn-auth-oauth2/fullchain.pem"
  key: "/etc/openvpn-auth-oauth2/privkey.pem"
  listen: ":9000"
  secret: "xx"
  tls: true
openvpn:
  addr: "unix:///run/openvpn/server.sock"
  password: "xx"
oauth2:
  issuer: "https://accounts.google.com"
  client:
    id: "xx"
    secret: "xx"
  validate:
    groups:
      - xx-admin
      - xx-developer
  refresh:
    enabled: true
    expires: 8h0m0s
    secret: "xx"
provider:
  google:
    admin-email: "xx"
    service-account-config: "file:///etc/openvpn-auth-oauth2/sa.json"

/etc/sysconfig/openvpn-auth-oauth2

# This file is sourced by the openvpn-auth-oauth2.service

# CONFIG_FILE is the path to the configuration file and used in the systemd service file only.
CONFIG_FILE=/etc/openvpn-auth-oauth2/config.yaml

Please let me know how I can see errors/misconfigurations in your component again

@jkroepke
Copy link
Owner

state with result 'core-dump'.

Oops. Thats something, non configurational related. This indicates more a faulty-binary and the root cause could be changes how I compile the binary one. In this case. it would helpful to run the binary without systemd first, e.g. directly from console.

@jkroepke jkroepke mentioned this pull request Feb 14, 2024
Closed
@jkroepke
Copy link
Owner

@Pionerd please continue in #172 instead continue in a already closed PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@Pionerd @jkroepke