Date: Friday, November 6, 2020 @ 07:02:10 Author: eworm Revision: 399566
upgpkg: openvpn 2.5.0-2: use dedicated user with capabilities Added: openvpn/trunk/0001-unprivileged.patch openvpn/trunk/openvpn.install openvpn/trunk/sysusers.conf openvpn/trunk/tmpfiles.conf Modified: openvpn/trunk/PKGBUILD -------------------------+ 0001-unprivileged.patch | 28 ++++++++++++++++++++++++++++ PKGBUILD | 23 +++++++++++++++++------ openvpn.install | 12 ++++++++++++ sysusers.conf | 1 + tmpfiles.conf | 4 ++++ 5 files changed, 62 insertions(+), 6 deletions(-) Added: 0001-unprivileged.patch =================================================================== --- 0001-unprivileged.patch (rev 0) +++ 0001-unprivileged.patch 2020-11-06 07:02:10 UTC (rev 399566) @@ -0,0 +1,28 @@ +diff --git a/distro/systemd/[email protected] b/distro/systemd/[email protected] +index cbcef653..71aa1335 100644 +--- a/distro/systemd/[email protected] ++++ b/distro/systemd/[email protected] +@@ -11,6 +11,9 @@ Type=notify + PrivateTmp=true + WorkingDirectory=/etc/openvpn/client + ExecStart=@sbindir@/openvpn --suppress-timestamps --nobind --config %i.conf ++User=openvpn ++Group=network ++AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE + CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE + LimitNPROC=10 + DeviceAllow=/dev/null rw +diff --git a/distro/systemd/[email protected] b/distro/systemd/[email protected] +index d1cc72cb..691f369e 100644 +--- a/distro/systemd/[email protected] ++++ b/distro/systemd/[email protected] +@@ -11,6 +11,9 @@ Type=notify + PrivateTmp=true + WorkingDirectory=/etc/openvpn/server + ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf ++User=openvpn ++Group=network ++AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE + CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE + LimitNPROC=10 + DeviceAllow=/dev/null rw Modified: PKGBUILD =================================================================== --- PKGBUILD 2020-11-05 23:12:50 UTC (rev 399565) +++ PKGBUILD 2020-11-06 07:02:10 UTC (rev 399566) @@ -3,19 +3,26 @@ pkgname=openvpn _tag='8c3dc0551390e92bfd5b2dc83d7502e7095b7325' # git rev-parse v${pkgver} pkgver=2.5.0 -pkgrel=1 +pkgrel=2 pkgdesc='An easy-to-use, robust and highly configurable VPN (Virtual Private Network)' arch=('x86_64') url='https://openvpn.net/index.php/open-source.html' +license=('custom') depends=('openssl' 'lzo' 'lz4' 'systemd-libs' 'libsystemd.so' 'pkcs11-helper' 'libpkcs11-helper.so') optdepends=('easy-rsa: easy CA and certificate handling' 'pam: authenticate via PAM') makedepends=('git' 'systemd' 'python-docutils') -license=('custom') +install=openvpn.install validpgpkeys=('F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7' # OpenVPN - Security Mailing List <[email protected]> 'B62E6A2B4E56570B7BDC6BE01D829EFECA562812') # Gert Doering <[email protected]> -source=("git+https://github.com/OpenVPN/openvpn.git#tag=${_tag}?signed";) -sha256sums=('SKIP') +source=("git+https://github.com/OpenVPN/openvpn.git#tag=${_tag}?signed"; + '0001-unprivileged.patch' + 'sysusers.conf' + 'tmpfiles.conf') +sha256sums=('SKIP' + '8e7d292514f30729bc37d6681789b1bfdf87a992a3aa77e2a28b8da9cd8d4bfe' + '3646b865ac67783fafc6652589cfe2a3105ecef06f3907f33de5135815f6a621' + 'b1436f953a4f1be7083711d11928a9924993f940ff56ff92d288d6100df673fc') prepare() { cd "${srcdir}"/${pkgname} @@ -23,6 +30,9 @@ # https://www.mail-archive.com/[email protected]/msg19302.html sed -i '/^CONFIGURE_DEFINES=/s/set/env/g' configure.ac + # start with unprivileged user and keep granted privileges + patch -Np1 < ../0001-unprivileged.patch + autoreconf --force --install } @@ -52,8 +62,9 @@ # Install openvpn make DESTDIR="${pkgdir}" install - # Create empty configuration directories - install -d -m0750 -g 90 "${pkgdir}"/etc/openvpn/{client,server} + # Install sysusers and tmpfiles files + install -D -m0644 ../sysusers.conf "${pkgdir}"/usr/lib/sysusers.d/openvpn.conf + install -D -m0644 ../tmpfiles.conf "${pkgdir}"/usr/lib/tmpfiles.d/openvpn.conf # Install license install -d -m0755 "${pkgdir}"/usr/share/licenses/openvpn/ Added: openvpn.install =================================================================== --- openvpn.install (rev 0) +++ openvpn.install 2020-11-06 07:02:10 UTC (rev 399566) @@ -0,0 +1,12 @@ +#!/bin/sh + +post_upgrade() { + # return if old package version greater 2.5.0-1... + (( $(vercmp $2 '2.5.0-1') > 0 )) && return + + echo ':: OpenVPN now uses a netlink interface for network configuration. The systemd' + echo " units start the process with a dedicated unprivileged user 'openvpn', with" + echo ' extra capabilitiesi(7). The configuration should no longer drop privileges,' + echo " so remove 'user' and 'group' directives." + echo ' Scripts that require elevated privileges may need a workaround.' +} Added: sysusers.conf =================================================================== --- sysusers.conf (rev 0) +++ sysusers.conf 2020-11-06 07:02:10 UTC (rev 399566) @@ -0,0 +1 @@ +u openvpn - "OpenVPN" Added: tmpfiles.conf =================================================================== --- tmpfiles.conf (rev 0) +++ tmpfiles.conf 2020-11-06 07:02:10 UTC (rev 399566) @@ -0,0 +1,4 @@ +d /etc/openvpn/client 0750 openvpn network - +d /etc/openvpn/server 0750 openvpn network - +d /run/openvpn-client 0750 openvpn network - +d /run/openvpn-server 0750 openvpn network -
