From: Christian Hesse <m...@eworm.de> Now that we have a native netlink interface run the process with dedicated user 'openvpn'. This is possible by granting ambient capabilities, see systemd.exec(5).
Signed-off-by: Christian Hesse <m...@eworm.de> --- .gitignore | 1 + configure.ac | 9 +++++++++ distro/systemd/Makefile.am | 24 ++++++++++++++++++++++- distro/systemd/openvpn-cli...@.service.in | 4 +++- distro/systemd/openvpn-ser...@.service.in | 4 +++- distro/systemd/sysusers-openvpn.conf | 1 + distro/systemd/tmpfiles-openvpn.conf | 2 -- distro/systemd/tmpfiles-openvpn.conf.in | 4 ++++ src/openvpn/init.c | 8 ++++++++ 9 files changed, 52 insertions(+), 5 deletions(-) create mode 100644 distro/systemd/sysusers-openvpn.conf delete mode 100644 distro/systemd/tmpfiles-openvpn.conf create mode 100644 distro/systemd/tmpfiles-openvpn.conf.in diff --git a/.gitignore b/.gitignore index 25009d81..00abdd5a 100644 --- a/.gitignore +++ b/.gitignore @@ -55,6 +55,7 @@ doc/openvpn.8.html /doc/doxygen/openvpn.doxyfile distro/rpm/openvpn.spec distro/systemd/*.service +distro/systemd/tmpfiles-openvpn.conf sample/sample-keys/sample-ca/ vendor/.build vendor/dist diff --git a/configure.ac b/configure.ac index 251cb9a2..ef8f5864 100644 --- a/configure.ac +++ b/configure.ac @@ -367,6 +367,7 @@ AC_ARG_VAR([GIT], [path to git utility]) AC_ARG_VAR([SYSTEMD_ASK_PASSWORD], [path to systemd-ask-password utility]) AC_ARG_VAR([SYSTEMD_UNIT_DIR], [Path of systemd unit directory @<:@default=LIBDIR/systemd/system@:>@]) AC_ARG_VAR([TMPFILES_DIR], [Path of tmpfiles directory @<:@default=LIBDIR/tmpfiles.d@:>@]) +AC_ARG_VAR([SYSUSERS_DIR], [Path of sysusers directory @<:@default=LIBDIR/sysusers.d@:>@]) AC_PATH_PROGS([IFCONFIG], [ifconfig],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin]) AC_PATH_PROGS([ROUTE], [route],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin]) AC_PATH_PROGS([IPROUTE], [ip],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin]) @@ -1200,6 +1201,12 @@ if test "$enable_systemd" = "yes" ; then else tmpfilesdir="\${libdir}/tmpfiles.d" fi + + if test -n "${SYSUSERS_DIR}"; then + sysusersdir="${SYSUSERS_DIR}" + else + sysusersdir="\${libdir}/sysusers.d" + fi fi @@ -1375,6 +1382,7 @@ AM_CONDITIONAL([GIT_CHECKOUT], [test "${GIT_CHECKOUT}" = "yes"]) AM_CONDITIONAL([ENABLE_PLUGIN_AUTH_PAM], [test "${enable_plugin_auth_pam}" = "yes"]) AM_CONDITIONAL([ENABLE_PLUGIN_DOWN_ROOT], [test "${enable_plugin_down_root}" = "yes"]) AM_CONDITIONAL([HAVE_LD_WRAP_SUPPORT], [test "${have_ld_wrap_support}" = "yes"]) +AM_CONDITIONAL([ENABLE_IPROUTE], [test "${enable_iproute2}" = "yes"]) sampledir="\$(docdir)/sample" AC_SUBST([plugindir]) @@ -1382,6 +1390,7 @@ AC_SUBST([sampledir]) AC_SUBST([systemdunitdir]) AC_SUBST([tmpfilesdir]) +AC_SUBST([sysusersdir]) VENDOR_SRC_ROOT="\$(abs_top_srcdir)/vendor/" VENDOR_DIST_ROOT="\$(abs_top_builddir)/vendor/dist" diff --git a/distro/systemd/Makefile.am b/distro/systemd/Makefile.am index 69e12699..1b7ce5f9 100644 --- a/distro/systemd/Makefile.am +++ b/distro/systemd/Makefile.am @@ -10,14 +10,35 @@ %.service: %.service.in Makefile $(AM_V_GEN)sed -e 's|\@sbindir\@|$(sbindir)|' \ + -e 's|\@SYSTEMD_USER\@|$(SYSTEMD_USER)|' \ + -e 's|\@SYSTEMD_CAPS_OPTION\@|$(SYSTEMD_CAPS_OPTION)|' \ + -e 's|\@SYSTEMD_CAPS_VALUES\@|$(SYSTEMD_CAPS_VALUES)|' \ + $< > $@.tmp && mv $@.tmp $@ + +%.conf: %.conf.in Makefile + $(AM_V_GEN)sed -e 's|\@SYSTEMD_USER\@|$(SYSTEMD_USER)|g' \ $< > $@.tmp && mv $@.tmp $@ EXTRA_DIST = \ - tmpfiles-openvpn.conf \ + sysusers-openvpn.conf \ + tmpfiles-openvpn.conf.in \ openvpn-cli...@.service.in \ openvpn-ser...@.service.in if ENABLE_SYSTEMD +if ENABLE_IPROUTE +SYSTEMD_USER=root +SYSTEMD_CAPS_OPTION=CapabilityBoundingSet +SYSTEMD_CAPS_VALUES=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE +else +SYSTEMD_USER=openvpn +SYSTEMD_CAPS_OPTION=AmbientCapabilities +SYSTEMD_CAPS_VALUES=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SYS_CHROOT CAP_DAC_OVERRIDE + +sysusers_DATA = \ + sysusers-openvpn.conf +endif + systemdunit_DATA = \ openvpn-client@.service \ openvpn-server@.service @@ -28,6 +49,7 @@ dist_doc_DATA = \ install-data-hook: mv $(DESTDIR)$(tmpfilesdir)/tmpfiles-openvpn.conf $(DESTDIR)$(tmpfilesdir)/openvpn.conf + mv $(DESTDIR)$(sysusersdir)/sysusers-openvpn.conf $(DESTDIR)$(sysusersdir)/openvpn.conf || true endif MAINTAINERCLEANFILES = \ diff --git a/distro/systemd/openvpn-cli...@.service.in b/distro/systemd/openvpn-cli...@.service.in index cbcef653..96cbf68e 100644 --- a/distro/systemd/openvpn-cli...@.service.in +++ b/distro/systemd/openvpn-cli...@.service.in @@ -9,9 +9,11 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO [Service] Type=notify PrivateTmp=true +User=@SYSTEMD_USER@ +Group=@SYSTEMD_USER@ WorkingDirectory=/etc/openvpn/client ExecStart=@sbindir@/openvpn --suppress-timestamps --nobind --config %i.conf -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE +@SYSTEMD_CAPS_OPTION@=@SYSTEMD_CAPS_VALUES@ LimitNPROC=10 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw diff --git a/distro/systemd/openvpn-ser...@.service.in b/distro/systemd/openvpn-ser...@.service.in index a8366a04..3f00642e 100644 --- a/distro/systemd/openvpn-ser...@.service.in +++ b/distro/systemd/openvpn-ser...@.service.in @@ -9,9 +9,11 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO [Service] Type=notify PrivateTmp=true +User=@SYSTEMD_USER@ +Group=@SYSTEMD_USER@ WorkingDirectory=/etc/openvpn/server ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE +@SYSTEMD_CAPS_OPTION@=@SYSTEMD_CAPS_VALUES@ LimitNPROC=10 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw diff --git a/distro/systemd/sysusers-openvpn.conf b/distro/systemd/sysusers-openvpn.conf new file mode 100644 index 00000000..d200852b --- /dev/null +++ b/distro/systemd/sysusers-openvpn.conf @@ -0,0 +1 @@ +u openvpn - "OpenVPN user" / diff --git a/distro/systemd/tmpfiles-openvpn.conf b/distro/systemd/tmpfiles-openvpn.conf deleted file mode 100644 index bb79671e..00000000 --- a/distro/systemd/tmpfiles-openvpn.conf +++ /dev/null @@ -1,2 +0,0 @@ -d /run/openvpn-client 0710 root root - -d /run/openvpn-server 0710 root root - diff --git a/distro/systemd/tmpfiles-openvpn.conf.in b/distro/systemd/tmpfiles-openvpn.conf.in new file mode 100644 index 00000000..f58d2967 --- /dev/null +++ b/distro/systemd/tmpfiles-openvpn.conf.in @@ -0,0 +1,4 @@ +d /run/openvpn-client 0750 @SYSTEMD_USER@ @SYSTEMD_USER@ - +d /run/openvpn-server 0750 @SYSTEMD_USER@ @SYSTEMD_USER@ - +d /etc/openvpn/client 0750 @SYSTEMD_USER@ @SYSTEMD_USER@ - +d /etc/openvpn/server 0750 @SYSTEMD_USER@ @SYSTEMD_USER@ - diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 36c1a4c4..0fc60d62 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -1151,6 +1151,14 @@ do_uid_gid_chroot(struct context *c, bool no_delay) /* set user and/or group if we want to setuid/setgid */ if (c0->uid_gid_specified) { +#ifdef ENABLE_SYSTEMD + if (sd_notify(0, "READY=0") > 0 && getuid() != 0) + { + msg(M_INFO, "NOTE: Running from systemd with non-root uid, skipping downgrade"); + return; + } +#endif + if (no_delay) { platform_group_set(&c0->platform_state_group); ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel