David Sommerseth <open...@sf.lists.topphemmelig.net> on Fri, 2016/12/09 20:42: > On 09/12/16 19:13, Christian Hesse wrote: > > From: Christian Hesse <m...@eworm.de> > > > > ProtectSystem=strict mounts the entire file system hierarchy read-only, > > except for the API file system subtrees /dev, /proc and /sys (which can > > be protected using PrivateDevices=, ProtectKernelTunables=, > > ProtectControlGroups=). > > > > ProtectHome=true makes the directories /home, /root and /run/user > > inaccessible and empty for the process. > > Currently I don't think we can use ProtectedHome= .... as it is fully > possible to save certificates and keys under $HOME/.cert on Fedora/RHEL > (and clones). There is even a specific SELinux label for files in that > path, home_cert_t.
I know that NetworkManager and its openvpn plugin use $HOME/.cert/... But
openvpn is not started from systemd then. Do we have setups where openvpn
starts from systemd and reads certificates from $HOME?
ProtectHome=read-only could help here... But I would still prefer
ProtectHome=true.
BTW, setting can be overwritten with something like:
mkdir /etc/systemd/system/openvpn-client@example.service.d
cat > /etc/systemd/system/openvpn-client@example.service.d/protecthome.conf
<<EOF
[Service]
ProtectHome=read-only
EOF
> For the others, I think they are more reasonable ... But I need to dig
> into the more murky details to be 100% they are safe for us. This is
> anyhow something we need to postpone until after 2.4.0 ... I don't dare
> adding more things which may backfire in rc2, as we're on a strict
> schedule to manage the next Debian release.
>
> Once rc2 settles, I will start playing with this patch.
Agreed this is post-2.4.0 stuff. ;)
You can break this with something like:
status /etc/openvpn/client/status.log
in your configuration. Writing a status file
to /run/openvpn-{client,server}/status.log works, though. So the default
setups should be fine. Do we have any more cases where openvpn wants write
access for whatever?
--
main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/* Best regards my address: */=0;b=c[a++];)
putchar(b-1/(/* Chris cc -ox -xc - && ./x */b/42*2-3)*42);}
pgpsreZ2srCdu.pgp
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today.http://sdm.link/xeonphi
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
