Re: [Openvpn-devel] Discussion: Moving forward with compression and voracle
> On 29-08-18 17:18, Jan Just Keijser wrote: >> Since when can I not type in >> rm -rf / >> any more ? did someone build in a flag into the "rm" command to stop me >> from doing so? I sure hope not. > > $ sudo docker run --rm debian rm -rf / > rm: it is dangerous to operate recursively on '/' > rm: use --no-preserve-root to override this failsafe > > This has been like this for a long while (and not just for debian). > > -Steffan > > PS: "rm -rf /*" will try to rm (almost) everything ;-) Still, using OpenVPN with compression makes much more sense than using "rm -rf /". I really vote against removing compression from OpenVPN! Regards, Simon -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 2/2] systemd: extend CapabilityBoundingSet for learn-address
On 29/08/18 21:05, Christian Hesse wrote: > Christian Ehrhardt on Wed, 2018/08/29 > 16:27: >> It seems a not too uncommon case that learn-address needs to recycle >> dnsmasq - to do so it would need CAP_KILL. >> >> This was suggested on https://community.openvpn.net/openvpn/ticket/918 >> >> Signed-off-by: Christian Ehrhardt >> --- >> distro/systemd/openvpn-ser...@.service.in | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/distro/systemd/openvpn-ser...@.service.in >> b/distro/systemd/openvpn-ser...@.service.in index d1cc72cb..edace213 100644 >> --- a/distro/systemd/openvpn-ser...@.service.in >> +++ b/distro/systemd/openvpn-ser...@.service.in >> @@ -11,7 +11,7 @@ Type=notify >> PrivateTmp=true >> WorkingDirectory=/etc/openvpn/server >> ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log >> --status-version 2 --suppress-timestamps --config %i.conf >> -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE >> CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE >> CAP_AUDIT_WRITE +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN >> CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT >> CAP_DAC_OVERRIDE CAP_AUDIT_WRITE CAP_KILL LimitNPROC=10 >> DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw > > I do not like services being allowed to send signals to other processes. As > dnsmasq supports a dbus interface... How about using that? For example to > clear the dns cache of an instance started from Networkmanager: > > dbus-send --system --print-reply \ > --dest=org.freedesktop.NetworkManager.dnsmasq /uk/org/thekelleys/dnsmasq \ > uk.org.thekelleys.ClearCache +1 ... CAP_KILL privileges can too easily prepare the ground for DoS attacks. The D-Bus approach above seems much saner and safer. Also because D-Bus gives a reasonable protection in regards to privilege escalation attacks. But you most likely need to prepare a D-Bus policy for dnsmasq though, to allow the openvpn user (or whatever user who will execute this script) access to the uk.org.thekelleys.ClearCache D-Bus method. -- kind regards, David Sommerseth OpenVPN Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 2/2] systemd: extend CapabilityBoundingSet for learn-address
Christian Ehrhardt on Wed, 2018/08/29 16:27: > It seems a not too uncommon case that learn-address needs to recycle > dnsmasq - to do so it would need CAP_KILL. > > This was suggested on https://community.openvpn.net/openvpn/ticket/918 > > Signed-off-by: Christian Ehrhardt > --- > distro/systemd/openvpn-ser...@.service.in | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/distro/systemd/openvpn-ser...@.service.in > b/distro/systemd/openvpn-ser...@.service.in index d1cc72cb..edace213 100644 > --- a/distro/systemd/openvpn-ser...@.service.in > +++ b/distro/systemd/openvpn-ser...@.service.in > @@ -11,7 +11,7 @@ Type=notify > PrivateTmp=true > WorkingDirectory=/etc/openvpn/server > ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log > --status-version 2 --suppress-timestamps --config %i.conf > -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE > CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE > CAP_AUDIT_WRITE +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN > CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT > CAP_DAC_OVERRIDE CAP_AUDIT_WRITE CAP_KILL LimitNPROC=10 > DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw I do not like services being allowed to send signals to other processes. As dnsmasq supports a dbus interface... How about using that? For example to clear the dns cache of an instance started from Networkmanager: dbus-send --system --print-reply \ --dest=org.freedesktop.NetworkManager.dnsmasq /uk/org/thekelleys/dnsmasq \ uk.org.thekelleys.ClearCache -- main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH" "CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];) putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);} pgphSrSEjPWji.pgp Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] Discussion: Moving forward with compression and voracle
On 29-08-18 17:18, Jan Just Keijser wrote: > Since when can I not type in > rm -rf / > any more ? did someone build in a flag into the "rm" command to stop me > from doing so? I sure hope not. $ sudo docker run --rm debian rm -rf / rm: it is dangerous to operate recursively on '/' rm: use --no-preserve-root to override this failsafe This has been like this for a long while (and not just for debian). -Steffan PS: "rm -rf /*" will try to rm (almost) everything ;-) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH 0/2] extend systemd service files for common use cases
Hi, tracking down an Ubuntu bug I found what seemed to be a circular dependency around https://community.openvpn.net/openvpn/ticket/918 Realizing that your process requires the patches sent to the list I thought it might help to prep those. I'd highly sak to consider the first change, the second I can understand the need but had no real use case myself so far. To be able to discuss and also accept/nack them individually I split the changes. Eventually I'd also want to sync the systemd service content in https://github.com/OpenVPN/sbuild_wrapper to what is upstream. Therefore I was wondering how devel for that repo is done. After the discussion here resolves will a PR on github do it, or should this get a openvpn-devel ML post as well ? Christian Ehrhardt (2): systemd: extend CapabilityBoundingSet for auth_pam systemd: extend CapabilityBoundingSet for learn-address distro/systemd/openvpn-ser...@.service.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.17.1 -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH 1/2] systemd: extend CapabilityBoundingSet for auth_pam
Auth_pam will require audit writes or the connection will be rejected as the plugin fails to initialize like: openvpn[]: sudo: unable to send audit message openvpn[]: sudo: pam_open_session: System error openvpn[]: sudo: policy plugin failed session initialization See links from https://community.openvpn.net/openvpn/ticket/918 for more. auth_pam is a common use case and capabilties for it should be allowed by the .service file. Fixes: #918 Signed-off-by: Christian Ehrhardt --- distro/systemd/openvpn-ser...@.service.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/distro/systemd/openvpn-ser...@.service.in b/distro/systemd/openvpn-ser...@.service.in index a8366a04..d1cc72cb 100644 --- a/distro/systemd/openvpn-ser...@.service.in +++ b/distro/systemd/openvpn-ser...@.service.in @@ -11,7 +11,7 @@ Type=notify PrivateTmp=true WorkingDirectory=/etc/openvpn/server ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE LimitNPROC=10 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw -- 2.17.1 -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH 2/2] systemd: extend CapabilityBoundingSet for learn-address
It seems a not too uncommon case that learn-address needs to recycle dnsmasq - to do so it would need CAP_KILL. This was suggested on https://community.openvpn.net/openvpn/ticket/918 Signed-off-by: Christian Ehrhardt --- distro/systemd/openvpn-ser...@.service.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/distro/systemd/openvpn-ser...@.service.in b/distro/systemd/openvpn-ser...@.service.in index d1cc72cb..edace213 100644 --- a/distro/systemd/openvpn-ser...@.service.in +++ b/distro/systemd/openvpn-ser...@.service.in @@ -11,7 +11,7 @@ Type=notify PrivateTmp=true WorkingDirectory=/etc/openvpn/server ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE CAP_KILL LimitNPROC=10 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw -- 2.17.1 -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] Fix memory leak after sighup
The c.es env_set is (re)allocated for each "sighup loop iteration", while it was free'd only once at process shutdown. Move the env_set_destroy() call to match the same level as the env_set_create() call to fix that. Signed-off-by: Steffan Karger --- src/openvpn/openvpn.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/openvpn/openvpn.c b/src/openvpn/openvpn.c index b9e914a..3819889 100644 --- a/src/openvpn/openvpn.c +++ b/src/openvpn/openvpn.c @@ -329,6 +329,7 @@ openvpn_main(int argc, char *argv[]) } while (c.sig->signal_received == SIGUSR1); +env_set_destroy(c.es); uninit_options(); gc_reset(); } @@ -337,8 +338,6 @@ openvpn_main(int argc, char *argv[]) context_gc_free(); -env_set_destroy(c.es); - #ifdef ENABLE_MANAGEMENT /* close management interface */ close_management(); -- 2.7.4 -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] mbedtls: print warning if random personalisation fails
... instead of when it doesn't fail. Looks like 'someone' mixed up the mbedtls return style (0 means success) with the openvpn internal return style (true means success). Signed-off-by: Steffan Karger --- src/openvpn/ssl_mbedtls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index 8e31980..ef83e65 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -853,7 +853,7 @@ tls_ctx_personalise_random(struct tls_root_ctx *ctx) const md_kt_t *sha256_kt = md_kt_get("SHA256"); mbedtls_x509_crt *cert = ctx->crt_chain; -if (0 != md_full(sha256_kt, cert->tbs.p, cert->tbs.len, sha256_hash)) +if (!md_full(sha256_kt, cert->tbs.p, cert->tbs.len, sha256_hash)) { msg(M_WARN, "WARNING: failed to personalise random"); } -- 2.7.4 -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel