Re: [Openvpn-devel] [PATCH 1/2] systemd: extend CapabilityBoundingSet for auth_pam

Mon, 03 Sep 2018 01:39:01 -0700 

On 29/08/18 16:27, Christian Ehrhardt wrote:
> Auth_pam will require audit writes or the connection will be rejected
> as the plugin fails to initialize like:
>   openvpn[1111]: sudo: unable to send audit message
>   openvpn[1111]: sudo: pam_open_session: System error
>   openvpn[1111]: sudo: policy plugin failed session initialization
> 
> See links from https://community.openvpn.net/openvpn/ticket/918 for
> more.
> 
> auth_pam is a common use case and capabilties for it should be allowed
> by the .service file.
> 
> Fixes: #918
> 
> Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com>
> ---
>  distro/systemd/openvpn-ser...@.service.in | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/distro/systemd/openvpn-ser...@.service.in 
> b/distro/systemd/openvpn-ser...@.service.in
> index a8366a04..d1cc72cb 100644
> --- a/distro/systemd/openvpn-ser...@.service.in
> +++ b/distro/systemd/openvpn-ser...@.service.in
> @@ -11,7 +11,7 @@ Type=notify
>  PrivateTmp=true
>  WorkingDirectory=/etc/openvpn/server
>  ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log 
> --status-version 2 --suppress-timestamps --config %i.conf
> -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE 
> CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
> +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE 
> CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE 
> CAP_AUDIT_WRITE
>  LimitNPROC=10
>  DeviceAllow=/dev/null rw
>  DeviceAllow=/dev/net/tun rw
> 

Acked-By: David Sommerseth <dav...@openvpn.net>

(The discussion is in a sub-thread, but keeping the ACK close to the patch for
simplicity)

-- 
kind regards,

David Sommerseth
OpenVPN Inc

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to