Re: [Openvpn-devel] [PATCH 1/1] add more security features for systemd units

Sat, 10 Dec 2016 04:00:24 -0800 

SviMik <svi...@mail.ru> on Sat, 2016/12/10 06:06:
> > You can break this with something like:
> > 
> > status /etc/openvpn/client/status.log
> > 
> > in your configuration. Writing a status file
> > to /run/openvpn-{client,server}/status.log works, though. So the default
> > setups should be fine. Do we have any more cases where openvpn wants write
> > access for whatever?  
> 
> From my configuration:
> 1) status

That is fine if it is written to /run/openvpn-{client,server}/. It breaks
with the status file in /etc/openvpn/{client,server}/ or example.

> 2) ifconfig-pool-persist

That is a problem... As the name suggests this should be persistent. :-/

> 3) tmp-dir (for storing openvpn_pf_*.tmp files)

Never used this. What is it for?
Anyway, I think this is not persistent stuff? Writing to /tmp/
or /run/openvpn-{client,server}/ should be fine.

> 4) client-connect script may want to write something

My scripts do some configuration and dbus-stuff, but do not write anything...
Writing to read-only path would fail, of course.

> 5) a plugin may want to write something

Same here... /run/ and /tmp/ is fine, other paths fail.

> For me even the read-only option will break nearly *everything*. And for
> user it will be completely not obvious why his scripts doesn't work, why
> his status file is not updated, and what's wrong with ifconfig-pool-persist.

Well, the error message should include something like: "cannot open file
'file': Read-only file system".

But this is more problematic than I thought initially.
-- 
main(a){char*c=/*    Schoene Gruesse                         */"B?IJj;MEH"
"CX:;",b;for(a/*    Best regards             my address:    */=0;b=c[a++];)
putchar(b-1/(/*    Chris            cc -ox -xc - && ./x    */b/42*2-3)*42);}

Attachment: pgpkdE7knZNap.pgp
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to