On Thu, Aug 30, 2018 at 1:38 AM David Sommerseth <
open...@sf.lists.topphemmelig.net> wrote:
> On 29/08/18 21:05, Christian Hesse wrote:
> > Christian Ehrhardt <christian.ehrha...@canonical.com> on Wed, 2018/08/29
> > 16:27:
> >> It seems a not too uncommon case that learn-address needs to recycle
> >> dnsmasq - to do so it would need CAP_KILL.
> >>
> >> This was suggested on https://community.openvpn.net/openvpn/ticket/918
> >>
> >> Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com>
> >> ---
> >> distro/systemd/openvpn-ser...@.service.in | 2 +-
> >> 1 file changed, 1 insertion(+), 1 deletion(-)
> >>
> >> diff --git a/distro/systemd/openvpn-ser...@.service.in
> >> b/distro/systemd/openvpn-ser...@.service.in index d1cc72cb..edace213
> 100644
> >> --- a/distro/systemd/openvpn-ser...@.service.in
> >> +++ b/distro/systemd/openvpn-ser...@.service.in
> >> @@ -11,7 +11,7 @@ Type=notify
> >> PrivateTmp=true
> >> WorkingDirectory=/etc/openvpn/server
> >> ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log
> >> --status-version 2 --suppress-timestamps --config %i.conf
> >> -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE
> >> CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
> >> CAP_AUDIT_WRITE +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN
> >> CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
> >> CAP_DAC_OVERRIDE CAP_AUDIT_WRITE CAP_KILL LimitNPROC=10
> >> DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw
> >
> > I do not like services being allowed to send signals to other processes.
> As
> > dnsmasq supports a dbus interface... How about using that? For example to
> > clear the dns cache of an instance started from Networkmanager:
> >
> > dbus-send --system --print-reply \
> > --dest=org.freedesktop.NetworkManager.dnsmasq /uk/org/thekelleys/dnsmasq
> \
> > uk.org.thekelleys.ClearCache
>
> +1 ... CAP_KILL privileges can too easily prepare the ground for DoS
> attacks.
>
> The D-Bus approach above seems much saner and safer. Also because D-Bus
> gives
> a reasonable protection in regards to privilege escalation attacks. But
> you
> most likely need to prepare a D-Bus policy for dnsmasq though, to allow the
> openvpn user (or whatever user who will execute this script) access to the
> uk.org.thekelleys.ClearCache D-Bus method.
>
I don't mind the KILL signal so much we can keep that off for another
discussion.
I like the suggestion if the dbus signal, clearly worth a try for those
with a matching setup.
After all my own thought of "umm KILL might be too much" is why I have
split it :-)
What bug 918 was originally about and would have to be cleared soon is the
CAP_AUDIT_WRITE.
So while we seem to agree we don't want/like CAP_KILL, could we add
CAP_AUDIT_WRITE as submitted?
> --
> kind regards,
>
> David Sommerseth
> OpenVPN Inc
>
>
>
--
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
