Re: [Openvpn-devel] [PATCH 1/1] add more security features for systemd units
On 12/12/16 20:44, Gert Doering wrote: > Hi, > > On Fri, Dec 09, 2016 at 07:13:03PM +0100, Christian Hesse wrote: >> From: Christian Hesse >> >> ProtectSystem=strict mounts the entire file system hierarchy read-only, >> except for the API file system subtrees /dev, /proc and /sys (which can >> be protected using PrivateDevices=, ProtectKernelTunables=, >> ProtectControlGroups=). > > Unless the temp directories are still writeable, this will break > server configs with --client-connect scripts or plugins trying to hand > back config settings via temp files. Agreed, we cannot have /tmp (or --tmp-dir) read-only. However, I read up a bit on ProtectSystem= on RHEL7. And on RHEL7 (shipping systemd-219) ProtectSystem= can only be 'full' or 'true' (it is 'false'/off by default). We cannot use any other values, as RHEL defines the oldest distros we support, and RHEL7 is the oldest systemd distro we will support in the future. We can definitely use ProtectSystem=true, as that ensure /usr and /boot are read-only. That is safe. If using 'full', /etc is also made read-only. I personally think this makes sense too, as if you have any state or log files, they should be placed under /var/log, {/var,}/run or /var/lib. -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 1/1] add more security features for systemd units
>> >> (I do not think an openvpn *client* config will need a to create >> files, but this needs testing) >> No, it does not. You compile with CLIENT_ONLY the tmp-dir option will throw an error. Arne -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 1/1] add more security features for systemd units
> Hi, > > On Fri, Dec 09, 2016 at 07:13:03PM +0100, Christian Hesse wrote: > > From: Christian Hesse > > > > ProtectSystem=strict mounts the entire file system hierarchy read-only, > > except for the API file system subtrees /dev, /proc and /sys (which can > > be protected using PrivateDevices=, ProtectKernelTunables=, > > ProtectControlGroups=). > > Unless the temp directories are still writeable, this will break > server configs with --client-connect scripts or plugins trying to hand > back config settings via temp files. > > (I do not think an openvpn *client* config will need a to create > files, but this needs testing) > Even if you find a way to store temporary files, I'm still not sure what can be done with ifconfig-pool-persist. It's not a temp file, it should be persistent. -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 1/1] add more security features for systemd units
Hi, On Fri, Dec 09, 2016 at 07:13:03PM +0100, Christian Hesse wrote: > From: Christian Hesse > > ProtectSystem=strict mounts the entire file system hierarchy read-only, > except for the API file system subtrees /dev, /proc and /sys (which can > be protected using PrivateDevices=, ProtectKernelTunables=, > ProtectControlGroups=). Unless the temp directories are still writeable, this will break server configs with --client-connect scripts or plugins trying to hand back config settings via temp files. (I do not think an openvpn *client* config will need a to create files, but this needs testing) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de signature.asc Description: PGP signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 1/1] add more security features for systemd units
On 10/12/16 12:57, Christian Hesse wrote: > SviMik on Sat, 2016/12/10 06:06: >>> You can break this with something like: >>> >>> status /etc/openvpn/client/status.log >>> >>> in your configuration. Writing a status file >>> to /run/openvpn-{client,server}/status.log works, though. So the default >>> setups should be fine. Do we have any more cases where openvpn wants write >>> access for whatever? >> >> From my configuration: >> 1) status > > That is fine if it is written to /run/openvpn-{client,server}/. It breaks > with the status file in /etc/openvpn/{client,server}/ or example. FWIW, the default SELinux policies actually denies any openvpn_exec_t process to write to /etc ... I believe that is independent of Linux distros, as long as SELinux have been enabled and the system is Enforced mode. >> 2) ifconfig-pool-persist > > That is a problem... As the name suggests this should be persistent. :-/ Same SELinux issue here too. IIRC, these files needs to be located under /var/lib/openvpn or /var/run/openvpn. But I do see there is one exception ... /etc/openvpn/ipp\.txt will be labelled openvpn_etc_rw_t, which is OpenVPN is allowed to write to. >> 3) tmp-dir (for storing openvpn_pf_*.tmp files) > > Never used this. What is it for? > Anyway, I think this is not persistent stuff? Writing to /tmp/ > or /run/openvpn-{client,server}/ should be fine. The openvpn_pf_*.tmp files are just one thing. If you use --auth-user-pass-verify script hooks or perhaps even --plugin for authentication, other temp files are generated in the default tmp-dir. See commit 4e1cc5f6dda22e9ff12 for more info. >> 4) client-connect script may want to write something > > My scripts do some configuration and dbus-stuff, but do not write anything... > Writing to read-only path would fail, of course. Again, SELinux can again block this already ... unless you write in the properly labelled directories for OpenVPN. >> 5) a plugin may want to write something > > Same here... /run/ and /tmp/ is fine, other paths fail. The same as 4) >> For me even the read-only option will break nearly *everything*. And for >> user it will be completely not obvious why his scripts doesn't work, why >> his status file is not updated, and what's wrong with ifconfig-pool-persist. > > Well, the error message should include something like: "cannot open file > 'file': Read-only file system". > > But this is more problematic than I thought initially. If we have some directories which complies with the SELinux policies in regards to read/write privileges, we should be fine. And restricting which directories OpenVPN can write to is quite sane. All those plenty of blogs putting runtime status files into /etc/openvpn have misunderstood quite some of the concept of the Unix file system layout. -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today.http://sdm.link/xeonphi___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 1/1] add more security features for systemd units
SviMik on Sat, 2016/12/10 06:06: > > You can break this with something like: > > > > status /etc/openvpn/client/status.log > > > > in your configuration. Writing a status file > > to /run/openvpn-{client,server}/status.log works, though. So the default > > setups should be fine. Do we have any more cases where openvpn wants write > > access for whatever? > > From my configuration: > 1) status That is fine if it is written to /run/openvpn-{client,server}/. It breaks with the status file in /etc/openvpn/{client,server}/ or example. > 2) ifconfig-pool-persist That is a problem... As the name suggests this should be persistent. :-/ > 3) tmp-dir (for storing openvpn_pf_*.tmp files) Never used this. What is it for? Anyway, I think this is not persistent stuff? Writing to /tmp/ or /run/openvpn-{client,server}/ should be fine. > 4) client-connect script may want to write something My scripts do some configuration and dbus-stuff, but do not write anything... Writing to read-only path would fail, of course. > 5) a plugin may want to write something Same here... /run/ and /tmp/ is fine, other paths fail. > For me even the read-only option will break nearly *everything*. And for > user it will be completely not obvious why his scripts doesn't work, why > his status file is not updated, and what's wrong with ifconfig-pool-persist. Well, the error message should include something like: "cannot open file 'file': Read-only file system". But this is more problematic than I thought initially. -- main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH" "CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];) putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);} pgpkdE7knZNap.pgp Description: OpenPGP digital signature -- Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today.http://sdm.link/xeonphi___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 1/1] add more security features for systemd units
> You can break this with something like: > > status /etc/openvpn/client/status.log > > in your configuration. Writing a status file > to /run/openvpn-{client,server}/status.log works, though. So the default > setups should be fine. Do we have any more cases where openvpn wants write > access for whatever? >From my configuration: 1) status 2) ifconfig-pool-persist 3) tmp-dir (for storing openvpn_pf_*.tmp files) 4) client-connect script may want to write something 5) a plugin may want to write something For me even the read-only option will break nearly *everything*. And for user it will be completely not obvious why his scripts doesn't work, why his status file is not updated, and what's wrong with ifconfig-pool-persist. -- Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today.http://sdm.link/xeonphi ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 1/1] add more security features for systemd units
David Sommerseth on Fri, 2016/12/09 20:42: > On 09/12/16 19:13, Christian Hesse wrote: > > From: Christian Hesse > > > > ProtectSystem=strict mounts the entire file system hierarchy read-only, > > except for the API file system subtrees /dev, /proc and /sys (which can > > be protected using PrivateDevices=, ProtectKernelTunables=, > > ProtectControlGroups=). > > > > ProtectHome=true makes the directories /home, /root and /run/user > > inaccessible and empty for the process. > > Currently I don't think we can use ProtectedHome= as it is fully > possible to save certificates and keys under $HOME/.cert on Fedora/RHEL > (and clones). There is even a specific SELinux label for files in that > path, home_cert_t. I know that NetworkManager and its openvpn plugin use $HOME/.cert/... But openvpn is not started from systemd then. Do we have setups where openvpn starts from systemd and reads certificates from $HOME? ProtectHome=read-only could help here... But I would still prefer ProtectHome=true. BTW, setting can be overwritten with something like: mkdir /etc/systemd/system/openvpn-client@example.service.d cat > /etc/systemd/system/openvpn-client@example.service.d/protecthome.conf < For the others, I think they are more reasonable ... But I need to dig > into the more murky details to be 100% they are safe for us. This is > anyhow something we need to postpone until after 2.4.0 ... I don't dare > adding more things which may backfire in rc2, as we're on a strict > schedule to manage the next Debian release. > > Once rc2 settles, I will start playing with this patch. Agreed this is post-2.4.0 stuff. ;) You can break this with something like: status /etc/openvpn/client/status.log in your configuration. Writing a status file to /run/openvpn-{client,server}/status.log works, though. So the default setups should be fine. Do we have any more cases where openvpn wants write access for whatever? -- main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH" "CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];) putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);} pgpsreZ2srCdu.pgp Description: OpenPGP digital signature -- Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today.http://sdm.link/xeonphi___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 1/1] add more security features for systemd units
On 09/12/16 19:13, Christian Hesse wrote: > From: Christian Hesse > > ProtectSystem=strict mounts the entire file system hierarchy read-only, > except for the API file system subtrees /dev, /proc and /sys (which can > be protected using PrivateDevices=, ProtectKernelTunables=, > ProtectControlGroups=). > > ProtectHome=true makes the directories /home, /root and /run/user > inaccessible and empty for the process. Currently I don't think we can use ProtectedHome= as it is fully possible to save certificates and keys under $HOME/.cert on Fedora/RHEL (and clones). There is even a specific SELinux label for files in that path, home_cert_t. For the others, I think they are more reasonable ... But I need to dig into the more murky details to be 100% they are safe for us. This is anyhow something we need to postpone until after 2.4.0 ... I don't dare adding more things which may backfire in rc2, as we're on a strict schedule to manage the next Debian release. Once rc2 settles, I will start playing with this patch. -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today.http://sdm.link/xeonphi___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH 1/1] add more security features for systemd units
From: Christian Hesse ProtectSystem=strict mounts the entire file system hierarchy read-only, except for the API file system subtrees /dev, /proc and /sys (which can be protected using PrivateDevices=, ProtectKernelTunables=, ProtectControlGroups=). ProtectHome=true makes the directories /home, /root and /run/user inaccessible and empty for the process. See systemd.exec(5) [0] for details. [0] https://www.freedesktop.org/software/systemd/man/systemd.exec.html Signed-off-by: Christian Hesse --- distro/systemd/openvpn-client@.service | 2 ++ distro/systemd/openvpn-server@.service | 2 ++ 2 files changed, 4 insertions(+) diff --git a/distro/systemd/openvpn-client@.service b/distro/systemd/openvpn-client@.service index 5618af3..3a9b7e2 100644 --- a/distro/systemd/openvpn-client@.service +++ b/distro/systemd/openvpn-client@.service @@ -17,6 +17,8 @@ CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETU LimitNPROC=10 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw +ProtectSystem=strict +ProtectHome=true [Install] WantedBy=multi-user.target diff --git a/distro/systemd/openvpn-server@.service b/distro/systemd/openvpn-server@.service index b9b4dba..a9e57b2 100644 --- a/distro/systemd/openvpn-server@.service +++ b/distro/systemd/openvpn-server@.service @@ -17,6 +17,8 @@ CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RA LimitNPROC=10 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw +ProtectSystem=strict +ProtectHome=true [Install] WantedBy=multi-user.target -- 2.10.2 -- Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today.http://sdm.link/xeonphi ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel