Package: openvpn Version: 2.3.7-1 Severity: normal Dear Maintainer,
I was trying to follow the directions in the OpenVPN HOWTO, to set up unprivileged mode to secure OpenVPN a bit more. Note that without using unprivileged mode, I have OpenVPN working properly when running as root. The 'Unprivileged mode (Linux only)' heading is found in the 'Hardening OpenVPN Security' section of the document that is at the following link: https://openvpn.net/index.php/open-source/documentation/howto.html#security I called my unprivileged user 'openvpn', created like so: adduser --system --no-create-home openvpn I added the following configuration to my /etc/sudoers.d/local file: openvpn ALL=(ALL) NOPASSWD: /sbin/ip I created /usr/local/sbin/openvpn-ip with the following contents: #!/bin/sh /usr/bin/sudo /sbin/ip $* I then put the following extra directives into my openvpn server configuration: user openvpn group nogroup iproute /usr/local/sbin/openvpn-ip When I try to run start up OpenVPN it fails. The error shown by 'journalctl _EXE=/usr/sbin/openvpn' follows: Jul 17 14:22:43 gecko ovpn-openvpn-udp-1194[28020]: OpenVPN 2.3.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jul 7 2015 Jul 17 14:22:43 gecko ovpn-openvpn-udp-1194[28023]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Jul 17 14:22:43 gecko ovpn-openvpn-udp-1194[28023]: Diffie-Hellman initialized with 2048 bit key Jul 17 14:22:43 gecko ovpn-openvpn-udp-1194[28023]: Control Channel Authentication: using 'ta.key' as a OpenVPN static key file Jul 17 14:22:43 gecko ovpn-openvpn-udp-1194[28023]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Jul 17 14:22:43 gecko ovpn-openvpn-udp-1194[28023]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Jul 17 14:22:43 gecko ovpn-openvpn-udp-1194[28023]: Socket Buffers: R=[212992->131072] S=[212992->131072] Jul 17 14:22:43 gecko ovpn-openvpn-udp-1194[28023]: TUN/TAP device tun0 opened Jul 17 14:22:43 gecko ovpn-openvpn-udp-1194[28023]: TUN/TAP TX queue length set to 100 Jul 17 14:22:43 gecko ovpn-openvpn-udp-1194[28023]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=1 Jul 17 14:22:43 gecko ovpn-openvpn-udp-1194[28023]: /usr/local/sbin/openvpn-ip link set dev tun0 up mtu 1500 Jul 17 14:22:43 gecko ovpn-openvpn-udp-1194[28023]: Linux ip link set failed: external program exited with error status: 1 I modified my /usr/local/sbin/openvpn-ip to capture and log the error like so: #!/bin/sh ERR=`/usr/bin/sudo /sbin/ip $* 2>&1` RET=$? echo $ERR >> /tmp/openvpn-ip.err exit $RET The contents of the /tmp/openvpn-ip.err when I try to start OpenVPN is: sudo: unable to send audit message: Operation not permitted If I manually run the following command, the tun interface is brought up without error: sudo -u openvpn /usr/local/sbin/openvpn-ip link set dev tun0 up mtu 1500 I checked my system and selinux is disabled. I also tried to override the supplied /lib/systemd/system/openvpn@.service file by copying it to /etc/systemd/system and editing it using the 'systemctl edit --full openvpn@.service' command. First I tried adding CAP_AUDIT_WRITE CAP_AUDIT_READ CAP_AUDIT_CONTROL to the CapabilityBoundingSet= directive with no luck. I tried removing the CapabilityBoundingSet= directive completely with no luck. I also removed the DeviceAllow= lines in case some other device access was needed, but no luck. Finally I also removed the ProtectSystem=yes directive with no luck. Each time I edited the file, I tried the following commands before starting the service: systemctl reenable openvpn@.service systemctl daemon-reload systemctl daemon-reexec As far as I can tell, after my edits the service shouldn't be using any of systemd's features to lock down security on it. So I'm at a bit of a loss as to why the sudo command is failing to send an audit message when calling the /sbin/ip script. But systemd (and capabilities) are still a new concept to me, so there is bound to be something I'm missing. Any help/ideas would be appreciated. Also, since systemd defines a restricted set of capabilities for the OpenVPN service, am I just wasting my time trying to set up unprivileged mode anyway? Jim. -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.1.0-trunk-amd64 (SMP w/4 CPU cores) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages openvpn depends on: ii debconf [debconf-2.0] 1.5.57 ii init-system-helpers 1.23 ii initscripts 2.88dsf-59.2 ii iproute2 4.0.0-1 ii libc6 2.19-19 ii liblzo2-2 2.08-1.2 ii libpam0g 1.1.8-3.1 ii libpkcs11-helper1 1.11-4 ii libssl1.0.0 1.0.2d-1 ii libsystemd0 222-2 Versions of packages openvpn recommends: ii easy-rsa 2.2.2-2 Versions of packages openvpn suggests: ii openssl 1.0.2d-1 pn resolvconf <none> -- debconf information: openvpn/create_tun: false -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
