Re: [arch-dev-public] Preparing OpenVPN 2.4.x - possible incompatible changes

Tue, 29 Nov 2016 08:15:24 -0800 

Em novembro 26, 2016 10:38 Christian Hesse escreveu:

Hello everybody,

a new OpenVPN stable release is being prepared, namely version 2.4.0.
Currently we have 2.4_beta2. I think about making changes to our package that
require user intervention.

We shipped a systemd unit file before OpenVPN upstream had one. Upstream now
has unit files, but two (for server and client) instead of just one. I did
backport some security features for our unit, but refused to migrate to the
upstream solution within the 2.3.x branch.

That could change with 2.4.0. Instead of openvpn@.service we would have
openvpn-server@.service and openvpn-client@.service. Additionally the
'daemon' option is no longer allowed with the upstream units.

Any opinion about this change? Who can post news about this on the website?

Stumbled about another fact... We define PLUGIN_LIBDIR, that allows to use
relative paths from that directory in configuration to call the plugins. This
path is '/usr/lib/openvpn' - plugins are installed to
'/usr/lib/openvpn/plugins', though. Any reason for that?


Well,

       I think it is good upstream is (finally) caring about the actual
       deployment of their software. I always found openvpn packaging
       odd on all the systems I used. On some, a user is created for
       running unprivileged. On others, everything is created and taken
       care of, including logging.

       I do not oppose using whatever upstream is deploying, if it's
       rationale. I just think that we could create a system user for
       openvpn, even if most users will deploy it using root. In that
       sense we would also (probably) need a /run/openvpn directory.

       I managed to make openvpn work entirely unprivileged here and
       I plan on changing our wiki[0] on the matter (it's missing some
       info) and also the official documentation[1] do not account for
       systemd nor ip netns exec, which is a clear venue for privilege
       escalation. What do you guys think?

Cheers,
Giancarlo Razzolini

[0] 
https://wiki.archlinux.org/index.php/OpenVPN#Drop_root_privileges_after_connecting
[1] https://openvpn.net/index.php/open-source/documentation/howto.html#security

Attachment: pgp49Q53NlbeH.pgp
Description: PGP signature

Reply via email to