David Sommerseth <open...@sf.lists.topphemmelig.net> on Fri, 2016/12/09 20:42:
> On 09/12/16 19:13, Christian Hesse wrote:
> > From: Christian Hesse <m...@eworm.de>
> > 
> > ProtectSystem=strict mounts the entire file system hierarchy read-only,
> > except for the API file system subtrees /dev, /proc and /sys (which can
> > be protected using PrivateDevices=, ProtectKernelTunables=,
> > ProtectControlGroups=).
> > 
> > ProtectHome=true makes the directories /home, /root and /run/user
> > inaccessible and empty for the process.  
> Currently I don't think we can use ProtectedHome= .... as it is fully
> possible to save certificates and keys under $HOME/.cert on Fedora/RHEL
> (and clones).  There is even a specific SELinux label for files in that
> path, home_cert_t.

I know that NetworkManager and its openvpn plugin use $HOME/.cert/... But
openvpn is not started from systemd then. Do we have setups where openvpn
starts from systemd and reads certificates from $HOME?

ProtectHome=read-only could help here... But I would still prefer

BTW, setting can be overwritten with something like:

mkdir /etc/systemd/system/openvpn-client@example.service.d
cat > /etc/systemd/system/openvpn-client@example.service.d/protecthome.conf

> For the others, I think they are more reasonable ... But I need to dig
> into the more murky details to be 100% they are safe for us.  This is
> anyhow something we need to postpone until after 2.4.0 ... I don't dare
> adding more things which may backfire in rc2, as we're on a strict
> schedule to manage the next Debian release.
> Once rc2 settles, I will start playing with this patch.

Agreed this is post-2.4.0 stuff. ;)

You can break this with something like:

status /etc/openvpn/client/status.log

in your configuration. Writing a status file
to /run/openvpn-{client,server}/status.log works, though. So the default
setups should be fine. Do we have any more cases where openvpn wants write
access for whatever?
main(a){char*c=/*    Schoene Gruesse                         */"B?IJj;MEH"
"CX:;",b;for(a/*    Best regards             my address:    */=0;b=c[a++];)
putchar(b-1/(/*    Chris            cc -ox -xc - && ./x    */b/42*2-3)*42);}

Attachment: pgpsreZ2srCdu.pgp
Description: OpenPGP digital signature

Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi
Openvpn-devel mailing list

Reply via email to