Your message dated Mon, 30 Jul 2018 10:06:02 +0200
with message-id <[email protected]>
and subject line Re: openvpn: Unprivileged mode results in "sudo: unable to
send audit message: Operation not permitted"
has caused the Debian Bug report #792653,
regarding openvpn: Unprivileged mode results in "sudo: unable to send audit
message: Operation not permitted"
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
792653: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=792653
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: openvpn
Version: 2.3.7-1
Severity: normal
Dear Maintainer,
I was trying to follow the directions in the OpenVPN HOWTO, to set up
unprivileged mode to secure OpenVPN a bit more.
Note that without using unprivileged mode, I have OpenVPN working properly
when running as root.
The 'Unprivileged mode (Linux only)' heading is found in the 'Hardening
OpenVPN Security' section of the document that is at the following link:
https://openvpn.net/index.php/open-source/documentation/howto.html#security
I called my unprivileged user 'openvpn', created like so:
adduser --system --no-create-home openvpn
I added the following configuration to my /etc/sudoers.d/local file:
openvpn ALL=(ALL) NOPASSWD: /sbin/ip
I created /usr/local/sbin/openvpn-ip with the following contents:
#!/bin/sh
/usr/bin/sudo /sbin/ip $*
I then put the following extra directives into my openvpn server
configuration:
user openvpn
group nogroup
iproute /usr/local/sbin/openvpn-ip
When I try to run start up OpenVPN it fails.
The error shown by 'journalctl _EXE=/usr/sbin/openvpn' follows:
Jul 17 14:22:43 gecko ovpn-openvpn-udp-1194[28020]: OpenVPN 2.3.7
x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on
Jul 7 2015
Jul 17 14:22:43 gecko ovpn-openvpn-udp-1194[28023]: NOTE: the current
--script-security setting may allow this configuration to call user-defined
scripts
Jul 17 14:22:43 gecko ovpn-openvpn-udp-1194[28023]: Diffie-Hellman initialized
with 2048 bit key
Jul 17 14:22:43 gecko ovpn-openvpn-udp-1194[28023]: Control Channel
Authentication: using 'ta.key' as a OpenVPN static key file
Jul 17 14:22:43 gecko ovpn-openvpn-udp-1194[28023]: Outgoing Control Channel
Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 17 14:22:43 gecko ovpn-openvpn-udp-1194[28023]: Incoming Control Channel
Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 17 14:22:43 gecko ovpn-openvpn-udp-1194[28023]: Socket Buffers:
R=[212992->131072] S=[212992->131072]
Jul 17 14:22:43 gecko ovpn-openvpn-udp-1194[28023]: TUN/TAP device tun0 opened
Jul 17 14:22:43 gecko ovpn-openvpn-udp-1194[28023]: TUN/TAP TX queue length set
to 100
Jul 17 14:22:43 gecko ovpn-openvpn-udp-1194[28023]: do_ifconfig, tt->ipv6=1,
tt->did_ifconfig_ipv6_setup=1
Jul 17 14:22:43 gecko ovpn-openvpn-udp-1194[28023]: /usr/local/sbin/openvpn-ip
link set dev tun0 up mtu 1500
Jul 17 14:22:43 gecko ovpn-openvpn-udp-1194[28023]: Linux ip link set failed:
external program exited with error status: 1
I modified my /usr/local/sbin/openvpn-ip to capture and log the error
like so:
#!/bin/sh
ERR=`/usr/bin/sudo /sbin/ip $* 2>&1`
RET=$?
echo $ERR >> /tmp/openvpn-ip.err
exit $RET
The contents of the /tmp/openvpn-ip.err when I try to start OpenVPN is:
sudo: unable to send audit message: Operation not permitted
If I manually run the following command, the tun interface is brought
up without error:
sudo -u openvpn /usr/local/sbin/openvpn-ip link set dev tun0 up mtu 1500
I checked my system and selinux is disabled.
I also tried to override the supplied /lib/systemd/system/[email protected]
file by copying it to /etc/systemd/system and editing it using the
'systemctl edit --full [email protected]' command.
First I tried adding CAP_AUDIT_WRITE CAP_AUDIT_READ CAP_AUDIT_CONTROL to
the CapabilityBoundingSet= directive with no luck.
I tried removing the CapabilityBoundingSet= directive completely with
no luck.
I also removed the DeviceAllow= lines in case some other device access
was needed, but no luck.
Finally I also removed the ProtectSystem=yes directive with no luck.
Each time I edited the file, I tried the following commands before
starting the service:
systemctl reenable [email protected]
systemctl daemon-reload
systemctl daemon-reexec
As far as I can tell, after my edits the service shouldn't be using
any of systemd's features to lock down security on it.
So I'm at a bit of a loss as to why the sudo command is failing to
send an audit message when calling the /sbin/ip script.
But systemd (and capabilities) are still a new concept to me,
so there is bound to be something I'm missing.
Any help/ideas would be appreciated.
Also, since systemd defines a restricted set of capabilities for
the OpenVPN service, am I just wasting my time trying to set up
unprivileged mode anyway?
Jim.
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.1.0-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages openvpn depends on:
ii debconf [debconf-2.0] 1.5.57
ii init-system-helpers 1.23
ii initscripts 2.88dsf-59.2
ii iproute2 4.0.0-1
ii libc6 2.19-19
ii liblzo2-2 2.08-1.2
ii libpam0g 1.1.8-3.1
ii libpkcs11-helper1 1.11-4
ii libssl1.0.0 1.0.2d-1
ii libsystemd0 222-2
Versions of packages openvpn recommends:
ii easy-rsa 2.2.2-2
Versions of packages openvpn suggests:
ii openssl 1.0.2d-1
pn resolvconf <none>
-- debconf information:
openvpn/create_tun: false
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hello Jim,
thank you for spending your time helping to make Debian better with
this bug report.
You file this bug against a currently not longer supported release.
So I close this bug. If the bug still exists please file a new bug from
a supported release.
CU
Jörg
- --
New:
GPG Fingerprint: 63E0 075F C8D4 3ABB 35AB 30EE 09F8 9F3C 8CA1 D25D
GPG key (long) : 09F89F3C8CA1D25D
GPG Key : 8CA1D25D
CAcert Key S/N : 0E:D4:56
Old pgp Key: BE581B6E (revoked since 2014-12-31).
Jörg Frings-Fürst
D-54470 Lieser
git: https://jff.email/cgit/
Threema: SYR8SJXB
Wire: @joergfringsfuerst
Skype: joergpenguin
Ring: jff
Telegram: @joergfringsfuerst
My wish list:
- Please send me a picture from the nature at your home.
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEY+AHX8jUOrs1qzDuCfifPIyh0l0FAltexuoACgkQCfifPIyh
0l0sEBAAifzYnPcx6hV1Dv6qPcs6ebyNKNkulcKDTGuurSAMBYv0THOuEiBMtwEC
XIxpFlsJ1BHfxHsqzN9I4ef0f8bXGNW5EPesbqKzfSpAKConVhMXkzv43vCYDjeD
iJBZYt0IeYOv8Zr5t9HxS4o+93TqrDZyJuWYHTU7I5tV8wETjuNekllCYiPR5d7G
kMPO4XpaURthL+zFMd3G0dMAS/naeL8FQ57GPeREMZ/q9zi8DCyC3N/SgTcS/rfZ
Sa0YICWrbgtkrM2ux4j/TGGffJ1A0P5mzK7qJXdFuqLHF3QX+DC6ypvGYJO1YVw2
fTKfYT2W/GlodysbKVobO3cVBWebHZnxLSnWa07ECKYR8irmCWObobBo1Ar+pp8Q
Jl2w3jUfA4NV9AAtLOvgQeMRI7NDADTAv2h4sZeTqNcj9ifl11L7q5e/7mc6jry3
R8IPGX6e7V7aQWhvBOuY4T4EpXXsmRc2kCPkcFAdcSkF8eOymN5Hx4xLlvrZzuSL
k74/Vzvy/4SnT0TOAjEBzd0dJNMuEKGyP9XvAMHfwsLg+saw/5oWaNTXnD6qFx80
TJIXGJoBqsWYcHA0FfDxVZmV4RnqqSzhREDG5570hyVCMezes3AQKeRD78QRMxjJ
NyMTEUnAatssciWSmvaF59I1HRA2dMvDD/eM44jnxjifL4j5cvI=
=oz1h
-----END PGP SIGNATURE-----
--- End Message ---
