-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi David,
with your help, I was able to use systemd.PrivateTmp correctly. thanks for this detailed explanation. R ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Thursday, July 1st, 2021 at 13:41, David Sommerseth <open...@sf.lists.topphemmelig.net> wrote: > On 01/07/2021 00:56, tincantech via Openvpn-devel wrote: > > > Hi > > [... copied from first mail ...] > > > > Thus the problem is two fold: > > > > It is not possible to pre-determine a temporary directory within the systemd > > > > PrivateTmp assigned folder within an openvpn config which needs to use > > --tmp-dir > > > > 2. > > > > Openvpn is forced to assign a non-standard temporary folder to --tmp-dir > > which > > > > lies outside of the systemd assigned private temporary folder.[... second > > mail ...] > > > > the problem is three fold: > > > > 3. > > > > How would I then point scripts to the systemd assigned folder ? > > > > (Yet another env var: systemd_private_tmp) > > > > > The most logical answer is "To take matters into my own hands" > > > > > > and specify my own temporary location but that does not sound > > > > > > like a "secure" approach generally .. which is the point of using > > > > > > systemd to "secure" things, in the first place. > > First of all - what you are describing is what you are observing. But I'm > missing the context of when you need a publicly available tmp-dir. > > The PrivateTmp is a security hardening. Using /tmp and /var/tmp to dump > various data has been a well-known security issue for years. And not just > within OpenVPN, but all kind of running daemons have faced security > challenges with the use of a global tmp-dir. > > First some background. > > In 2010 we added some hardening to avoid some of the potential issues with > tmp-dir and temp-files needed for the script hooks (see commit 4e1cc5f6d for > details). Already back then we knew this was not covering all issues, but it > was still a good step forward to harden this issue. For those not being > satisfied with this change, can use --tmp-dir to relocate this directory with > stricter privileges. That's probably as strict as you can go. > > The challenge at hand was that another process could manage to create a > tempfile with the same tempname as OpenVPN did earlier, which OpenVPN would > pick up and read despite it had not created it (it was the task of the > plug-in/script to do so earlier). This was a perfect trap to inject data from > outside, even from a user not privileged to configure OpenVPN. So we changed > the model so OpenVPN always creates the temp-file before it runs the > plug-in/script and ensures the privileges on that file is correct. > > And then came systemd with PrivateTmp which added further hardening. > > That's the background ... now to PrivateTmp > > When running scripts via OpenVPN's script hooks or plug-ins, they should run > under the same confinement as the OpenVPN process, so it should share the > same tmp-dir. So PrivateTmp should not cause any issues in regards to script > hooks or plug-ins. They should all share the same tmp-dir. I don't recall now > if some $TMP or $TMPDIR variables would be set as well. > > Now if you want your scripts to leave data after it has run, a tmp-dir is > still the wrong location for such data - as then it isn't strictly a > temporary file. In that case, these scripts should ideally use a different > path with is not confined inside a private tmp-dir. > > Some reasonable locations: > > - Most Linux packaging provides /var/lib/openvpn, which should be owned > > by openvpn:openvpn by default. Creating a subdirectory here with the > > proper ACL would be considered appropriate. > - If the data you want to leave for another script/process to pick up > > (like a queue), the typical location for that would be /var/spool > > /openpvn (which needs to be created). > - If it is cached data, then /var/cache/openvpn would be appropriate. > > - If it is runtime related data, which may be wiped when the OpenVPN > > process is stopped, using /run/openvpn/ would be fine - but these > > days, /run is mostly mounted as a tmpfs filesystem so be careful with > > the amount of data you put there. > > My point is, don't use tmp-dir to save data which isn't really temporary, > where temporary means it should not live there for very long. And don't abuse > the --tmp-dir option to relocate it to one of these more persistent > locations. Just don't use tmp-dir as a "data exchange point" outside of the > communication between the OpenVPN process and the scripts/plug-ins it runs. > > -- > > kind regards, > > David Sommerseth > > OpenVPN Inc > -----BEGIN PGP SIGNATURE----- Version: ProtonMail wsBzBAEBCAAGBQJg3g+JACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ16HQf/eidEB35HMiT4Jds0GDFS5d8286+lGobsH43z0aVReYfgK/+c Z3qtcoxKPZNyGeYnyJHCKs1OrtRLVa3O0YJ4kUBhdUFtI8g6wEz5C/XKNDHu KCjl5kCYtkFG9mzIINXKVTkDOROtI7rDX9+6sW4VvdHb7MSrn+nwWdiX+in0 kUw2rSjXJMyL9dj+NCmpK8HIEkcK6RcedBDlYIq9PtsloQIU8HRRLIySGMpu II6o0T+PmNTwmIvZctFD42fDGZQpZCP9BWWgdNRpzz7m3qbKWQAxv/EfwKEJ 8fd1FOFL1gIudk5d2kgagspQHrUmAGAUWGFlHKLoGq70LPCp0cX1SQ== =mXP4 -----END PGP SIGNATURE-----
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
