Re: [Openvpn-devel] [PATCH 1/1] add more security features for systemd units

2016-12-12 Thread David Sommerseth
On 12/12/16 20:44, Gert Doering wrote: > Hi, > > On Fri, Dec 09, 2016 at 07:13:03PM +0100, Christian Hesse wrote: >> From: Christian Hesse >> >> ProtectSystem=strict mounts the entire file system hierarchy read-only, >> except for the API file system subtrees /dev, /proc and /sys

Re: [Openvpn-devel] [PATCH 1/1] add more security features for systemd units

2016-12-12 Thread Arne Schwabe
>> >> (I do not think an openvpn *client* config will need a to create >> files, but this needs testing) >> No, it does not. You compile with CLIENT_ONLY the tmp-dir option will throw an error. Arne -- Check out the

Re: [Openvpn-devel] [PATCH 1/1] add more security features for systemd units

2016-12-12 Thread SviMik
> Hi, > > On Fri, Dec 09, 2016 at 07:13:03PM +0100, Christian Hesse wrote: > > From: Christian Hesse > > > > ProtectSystem=strict mounts the entire file system hierarchy read-only, > > except for the API file system subtrees /dev, /proc and /sys (which can > > be protected using

Re: [Openvpn-devel] [PATCH 1/1] add more security features for systemd units

2016-12-12 Thread Gert Doering
Hi, On Fri, Dec 09, 2016 at 07:13:03PM +0100, Christian Hesse wrote: > From: Christian Hesse > > ProtectSystem=strict mounts the entire file system hierarchy read-only, > except for the API file system subtrees /dev, /proc and /sys (which can > be protected using PrivateDevices=,

Re: [Openvpn-devel] [PATCH 1/1] add more security features for systemd units

2016-12-10 Thread David Sommerseth
On 10/12/16 12:57, Christian Hesse wrote: > SviMik on Sat, 2016/12/10 06:06: >>> You can break this with something like: >>> >>> status /etc/openvpn/client/status.log >>> >>> in your configuration. Writing a status file >>> to /run/openvpn-{client,server}/status.log works, though.

Re: [Openvpn-devel] [PATCH 1/1] add more security features for systemd units

2016-12-10 Thread Christian Hesse
SviMik on Sat, 2016/12/10 06:06: > > You can break this with something like: > > > > status /etc/openvpn/client/status.log > > > > in your configuration. Writing a status file > > to /run/openvpn-{client,server}/status.log works, though. So the default > > setups should be fine.

Re: [Openvpn-devel] [PATCH 1/1] add more security features for systemd units

2016-12-09 Thread SviMik
> You can break this with something like: > > status /etc/openvpn/client/status.log > > in your configuration. Writing a status file > to /run/openvpn-{client,server}/status.log works, though. So the default > setups should be fine. Do we have any more cases where openvpn wants write > access

Re: [Openvpn-devel] [PATCH 1/1] add more security features for systemd units

2016-12-09 Thread Christian Hesse
David Sommerseth on Fri, 2016/12/09 20:42: > On 09/12/16 19:13, Christian Hesse wrote: > > From: Christian Hesse > > > > ProtectSystem=strict mounts the entire file system hierarchy read-only, > > except for the API file system subtrees /dev,

Re: [Openvpn-devel] [PATCH 1/1] add more security features for systemd units

2016-12-09 Thread David Sommerseth
On 09/12/16 19:13, Christian Hesse wrote: > From: Christian Hesse > > ProtectSystem=strict mounts the entire file system hierarchy read-only, > except for the API file system subtrees /dev, /proc and /sys (which can > be protected using PrivateDevices=, ProtectKernelTunables=, >

[Openvpn-devel] [PATCH 1/1] add more security features for systemd units

2016-12-09 Thread Christian Hesse
From: Christian Hesse ProtectSystem=strict mounts the entire file system hierarchy read-only, except for the API file system subtrees /dev, /proc and /sys (which can be protected using PrivateDevices=, ProtectKernelTunables=, ProtectControlGroups=). ProtectHome=true makes the