Re: [Openvpn-devel] Discussion: Moving forward with compression and voracle

2018-08-29 Thread Simon Matter
> On 29-08-18 17:18, Jan Just Keijser wrote:
>> Since when can I not type in
>>   rm -rf /
>> any more ?  did someone build in a flag into the "rm" command to stop me
>> from doing so? I sure hope not.
>
> $ sudo docker run --rm debian rm -rf /
> rm: it is dangerous to operate recursively on '/'
> rm: use --no-preserve-root to override this failsafe
>
> This has been like this for a long while (and not just for debian).
>
> -Steffan
>
> PS: "rm -rf /*" will try to rm (almost) everything ;-)

Still, using OpenVPN with compression makes much more sense than using "rm
-rf /". I really vote against removing compression from OpenVPN!

Regards,
Simon


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] [PATCH 2/2] systemd: extend CapabilityBoundingSet for learn-address

2018-08-29 Thread David Sommerseth
On 29/08/18 21:05, Christian Hesse wrote:
> Christian Ehrhardt  on Wed, 2018/08/29
> 16:27:
>> It seems a not too uncommon case that learn-address needs to recycle
>> dnsmasq - to do so it would need CAP_KILL.
>>
>> This was suggested on https://community.openvpn.net/openvpn/ticket/918
>>
>> Signed-off-by: Christian Ehrhardt 
>> ---
>>  distro/systemd/openvpn-ser...@.service.in | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/distro/systemd/openvpn-ser...@.service.in
>> b/distro/systemd/openvpn-ser...@.service.in index d1cc72cb..edace213 100644
>> --- a/distro/systemd/openvpn-ser...@.service.in
>> +++ b/distro/systemd/openvpn-ser...@.service.in
>> @@ -11,7 +11,7 @@ Type=notify
>>  PrivateTmp=true
>>  WorkingDirectory=/etc/openvpn/server
>>  ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log
>> --status-version 2 --suppress-timestamps --config %i.conf
>> -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE
>> CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
>> CAP_AUDIT_WRITE +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN
>> CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
>> CAP_DAC_OVERRIDE CAP_AUDIT_WRITE CAP_KILL LimitNPROC=10
>> DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw
> 
> I do not like services being allowed to send signals to other processes. As
> dnsmasq supports a dbus interface... How about using that? For example to
> clear the dns cache of an instance started from Networkmanager:
> 
> dbus-send --system --print-reply \
> --dest=org.freedesktop.NetworkManager.dnsmasq /uk/org/thekelleys/dnsmasq \
> uk.org.thekelleys.ClearCache

+1 ... CAP_KILL privileges can too easily prepare the ground for DoS attacks.

The D-Bus approach above seems much saner and safer.  Also because D-Bus gives
a reasonable protection in regards to privilege escalation attacks.  But you
most likely need to prepare a D-Bus policy for dnsmasq though, to allow the
openvpn user (or whatever user who will execute this script) access to the
uk.org.thekelleys.ClearCache D-Bus method.


-- 
kind regards,

David Sommerseth
OpenVPN Inc




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] [PATCH 2/2] systemd: extend CapabilityBoundingSet for learn-address

2018-08-29 Thread Christian Hesse
Christian Ehrhardt  on Wed, 2018/08/29
16:27:
> It seems a not too uncommon case that learn-address needs to recycle
> dnsmasq - to do so it would need CAP_KILL.
> 
> This was suggested on https://community.openvpn.net/openvpn/ticket/918
> 
> Signed-off-by: Christian Ehrhardt 
> ---
>  distro/systemd/openvpn-ser...@.service.in | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/distro/systemd/openvpn-ser...@.service.in
> b/distro/systemd/openvpn-ser...@.service.in index d1cc72cb..edace213 100644
> --- a/distro/systemd/openvpn-ser...@.service.in
> +++ b/distro/systemd/openvpn-ser...@.service.in
> @@ -11,7 +11,7 @@ Type=notify
>  PrivateTmp=true
>  WorkingDirectory=/etc/openvpn/server
>  ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log
> --status-version 2 --suppress-timestamps --config %i.conf
> -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE
> CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
> CAP_AUDIT_WRITE +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN
> CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
> CAP_DAC_OVERRIDE CAP_AUDIT_WRITE CAP_KILL LimitNPROC=10
> DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw

I do not like services being allowed to send signals to other processes. As
dnsmasq supports a dbus interface... How about using that? For example to
clear the dns cache of an instance started from Networkmanager:

dbus-send --system --print-reply \
--dest=org.freedesktop.NetworkManager.dnsmasq /uk/org/thekelleys/dnsmasq \
uk.org.thekelleys.ClearCache
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgphSrSEjPWji.pgp
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] Discussion: Moving forward with compression and voracle

2018-08-29 Thread Steffan Karger
On 29-08-18 17:18, Jan Just Keijser wrote:
> Since when can I not type in
>   rm -rf /
> any more ?  did someone build in a flag into the "rm" command to stop me
> from doing so? I sure hope not.

$ sudo docker run --rm debian rm -rf /
rm: it is dangerous to operate recursively on '/'
rm: use --no-preserve-root to override this failsafe

This has been like this for a long while (and not just for debian).

-Steffan

PS: "rm -rf /*" will try to rm (almost) everything ;-)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] [PATCH 0/2] extend systemd service files for common use cases

2018-08-29 Thread Christian Ehrhardt
Hi,
tracking down an Ubuntu bug I found what seemed to be a circular
dependency around https://community.openvpn.net/openvpn/ticket/918

Realizing that your process requires the patches sent to the list I
thought it might help to prep those.

I'd highly sak to consider the first change, the second I can understand
the need but had no real use case myself so far.
To be able to discuss and also accept/nack them individually I split the
changes.

Eventually I'd also want to sync the systemd service content in
https://github.com/OpenVPN/sbuild_wrapper to what is upstream. Therefore
I was wondering how devel for that repo is done. After the discussion here
resolves will a PR on github do it, or should this get a openvpn-devel ML
post as well ?

Christian Ehrhardt (2):
  systemd: extend CapabilityBoundingSet for auth_pam
  systemd: extend CapabilityBoundingSet for learn-address

 distro/systemd/openvpn-ser...@.service.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

-- 
2.17.1


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] [PATCH 1/2] systemd: extend CapabilityBoundingSet for auth_pam

2018-08-29 Thread Christian Ehrhardt
Auth_pam will require audit writes or the connection will be rejected
as the plugin fails to initialize like:
  openvpn[]: sudo: unable to send audit message
  openvpn[]: sudo: pam_open_session: System error
  openvpn[]: sudo: policy plugin failed session initialization

See links from https://community.openvpn.net/openvpn/ticket/918 for
more.

auth_pam is a common use case and capabilties for it should be allowed
by the .service file.

Fixes: #918

Signed-off-by: Christian Ehrhardt 
---
 distro/systemd/openvpn-ser...@.service.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/distro/systemd/openvpn-ser...@.service.in 
b/distro/systemd/openvpn-ser...@.service.in
index a8366a04..d1cc72cb 100644
--- a/distro/systemd/openvpn-ser...@.service.in
+++ b/distro/systemd/openvpn-ser...@.service.in
@@ -11,7 +11,7 @@ Type=notify
 PrivateTmp=true
 WorkingDirectory=/etc/openvpn/server
 ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log 
--status-version 2 --suppress-timestamps --config %i.conf
-CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE 
CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE 
CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE 
CAP_AUDIT_WRITE
 LimitNPROC=10
 DeviceAllow=/dev/null rw
 DeviceAllow=/dev/net/tun rw
-- 
2.17.1


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] [PATCH 2/2] systemd: extend CapabilityBoundingSet for learn-address

2018-08-29 Thread Christian Ehrhardt
It seems a not too uncommon case that learn-address needs to recycle
dnsmasq - to do so it would need CAP_KILL.

This was suggested on https://community.openvpn.net/openvpn/ticket/918

Signed-off-by: Christian Ehrhardt 
---
 distro/systemd/openvpn-ser...@.service.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/distro/systemd/openvpn-ser...@.service.in 
b/distro/systemd/openvpn-ser...@.service.in
index d1cc72cb..edace213 100644
--- a/distro/systemd/openvpn-ser...@.service.in
+++ b/distro/systemd/openvpn-ser...@.service.in
@@ -11,7 +11,7 @@ Type=notify
 PrivateTmp=true
 WorkingDirectory=/etc/openvpn/server
 ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log 
--status-version 2 --suppress-timestamps --config %i.conf
-CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE 
CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE 
CAP_AUDIT_WRITE
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE 
CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE 
CAP_AUDIT_WRITE CAP_KILL
 LimitNPROC=10
 DeviceAllow=/dev/null rw
 DeviceAllow=/dev/net/tun rw
-- 
2.17.1


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] [PATCH] Fix memory leak after sighup

2018-08-29 Thread Steffan Karger
The c.es env_set is (re)allocated for each "sighup loop iteration", while
it was free'd only once at process shutdown.  Move the env_set_destroy()
call to match the same level as the env_set_create() call to fix that.

Signed-off-by: Steffan Karger 
---
 src/openvpn/openvpn.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/openvpn/openvpn.c b/src/openvpn/openvpn.c
index b9e914a..3819889 100644
--- a/src/openvpn/openvpn.c
+++ b/src/openvpn/openvpn.c
@@ -329,6 +329,7 @@ openvpn_main(int argc, char *argv[])
 }
 while (c.sig->signal_received == SIGUSR1);
 
+env_set_destroy(c.es);
 uninit_options();
 gc_reset();
 }
@@ -337,8 +338,6 @@ openvpn_main(int argc, char *argv[])
 
 context_gc_free();
 
-env_set_destroy(c.es);
-
 #ifdef ENABLE_MANAGEMENT
 /* close management interface */
 close_management();
-- 
2.7.4


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] [PATCH] mbedtls: print warning if random personalisation fails

2018-08-29 Thread Steffan Karger
... instead of when it doesn't fail.  Looks like 'someone' mixed up the
mbedtls return style (0 means success) with the openvpn internal return
style (true means success).

Signed-off-by: Steffan Karger 
---
 src/openvpn/ssl_mbedtls.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index 8e31980..ef83e65 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -853,7 +853,7 @@ tls_ctx_personalise_random(struct tls_root_ctx *ctx)
 const md_kt_t *sha256_kt = md_kt_get("SHA256");
 mbedtls_x509_crt *cert = ctx->crt_chain;
 
-if (0 != md_full(sha256_kt, cert->tbs.p, cert->tbs.len, sha256_hash))
+if (!md_full(sha256_kt, cert->tbs.p, cert->tbs.len, sha256_hash))
 {
 msg(M_WARN, "WARNING: failed to personalise random");
 }
-- 
2.7.4


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel