On 01/07/2021 00:56, tincantech via Openvpn-devel wrote:
Hi
[... copied from first mail ...]
Thus the problem is two fold: 1. It is not possible to pre-determine a temporary directory within the systemd PrivateTmp assigned folder within an openvpn config which needs to use --tmp-dir 2. Openvpn is forced to assign a non-standard temporary folder to --tmp-dir which lies outside of the systemd assigned private temporary folder.[... second mail ...] the problem is three fold: 3. How would I then point scripts to the systemd assigned folder ? (Yet another env var: systemd_private_tmp) The most logical answer is "To take matters into my own hands" and specify my own temporary location but that does not sound like a "secure" approach generally .. which is the point of using systemd to "secure" things, in the first place.
First of all - what you are describing is what you are observing. But I'm missing the context of when you need a publicly available tmp-dir.
The PrivateTmp is a security hardening. Using /tmp and /var/tmp to dump various data has been a well-known security issue for years. And not just within OpenVPN, but all kind of running daemons have faced security challenges with the use of a global tmp-dir.
First some background.In 2010 we added some hardening to avoid some of the potential issues with tmp-dir and temp-files needed for the script hooks (see commit 4e1cc5f6d for details). Already back then we knew this was not covering all issues, but it was still a good step forward to harden this issue. For those not being satisfied with this change, can use --tmp-dir to relocate this directory with stricter privileges. That's probably as strict as you can go.
The challenge at hand was that another process could manage to create a tempfile with the same tempname as OpenVPN did earlier, which OpenVPN would pick up and read despite it had not created it (it was the task of the plug-in/script to do so earlier). This was a perfect trap to inject data from outside, even from a user not privileged to configure OpenVPN. So we changed the model so OpenVPN always creates the temp-file before it runs the plug-in/script and ensures the privileges on that file is correct.
And then came systemd with PrivateTmp which added further hardening. That's the background ... now to PrivateTmpWhen running scripts via OpenVPN's script hooks or plug-ins, they should run under the same confinement as the OpenVPN process, so it should share the same tmp-dir. So PrivateTmp should not cause any issues in regards to script hooks or plug-ins. They should all share the same tmp-dir. I don't recall now if some $TMP or $TMPDIR variables would be set as well.
Now if you want your scripts to leave data after it has run, a tmp-dir is still the wrong location for such data - as then it isn't strictly a temporary file. In that case, these scripts should ideally use a different path with is not confined inside a private tmp-dir.
Some reasonable locations: * Most Linux packaging provides /var/lib/openvpn, which should be owned by openvpn:openvpn by default. Creating a subdirectory here with the proper ACL would be considered appropriate. * If the data you want to leave for another script/process to pick up (like a queue), the typical location for that would be /var/spool /openpvn (which needs to be created). * If it is cached data, then /var/cache/openvpn would be appropriate. * If it is runtime related data, which may be wiped when the OpenVPN process is stopped, using /run/openvpn/ would be fine - but these days, /run is mostly mounted as a tmpfs filesystem so be careful with the amount of data you put there.My point is, don't use tmp-dir to save data which isn't really temporary, where temporary means it should not live there for very long. And don't abuse the --tmp-dir option to relocate it to one of these more persistent locations. Just don't use tmp-dir as a "data exchange point" outside of the communication between the OpenVPN process and the scripts/plug-ins it runs.
-- kind regards, David Sommerseth OpenVPN Inc
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
