Re: [Openvpn-devel] [PATCH 1/1] add more security features for systemd units

2016-12-12 Thread David Sommerseth
On 12/12/16 20:44, Gert Doering wrote:
> Hi,
> 
> On Fri, Dec 09, 2016 at 07:13:03PM +0100, Christian Hesse wrote:
>> From: Christian Hesse 
>>
>> ProtectSystem=strict mounts the entire file system hierarchy read-only,
>> except for the API file system subtrees /dev, /proc and /sys (which can
>> be protected using PrivateDevices=, ProtectKernelTunables=,
>> ProtectControlGroups=).
> 
> Unless the temp directories are still writeable, this will break 
> server configs with --client-connect scripts or plugins trying to hand 
> back config settings via temp files.

Agreed, we cannot have /tmp (or --tmp-dir) read-only.

However, I read up a bit on ProtectSystem= on RHEL7.  And on RHEL7
(shipping systemd-219) ProtectSystem= can only be 'full' or 'true' (it
is 'false'/off by default).  We cannot use any other values, as RHEL
defines the oldest distros we support, and RHEL7 is the oldest systemd
distro we will support in the future.

We can definitely use ProtectSystem=true, as that ensure /usr and /boot
are read-only.  That is safe.  If using 'full', /etc is also made
read-only.  I personally think this makes sense too, as if you have any
state or log files, they should be placed under /var/log, {/var,}/run or
/var/lib.


-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] [PATCH 1/1] add more security features for systemd units

2016-12-12 Thread Arne Schwabe

>>
>> (I do not think an openvpn *client* config will need a to create
>> files, but this needs testing)
>>

No, it does not. You compile with CLIENT_ONLY the tmp-dir option will
throw an error.

Arne

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] [PATCH 1/1] add more security features for systemd units

2016-12-12 Thread SviMik
> Hi,
> 
> On Fri, Dec 09, 2016 at 07:13:03PM +0100, Christian Hesse wrote:
> > From: Christian Hesse 
> > 
> > ProtectSystem=strict mounts the entire file system hierarchy read-only,
> > except for the API file system subtrees /dev, /proc and /sys (which can
> > be protected using PrivateDevices=, ProtectKernelTunables=,
> > ProtectControlGroups=).
> 
> Unless the temp directories are still writeable, this will break 
> server configs with --client-connect scripts or plugins trying to hand 
> back config settings via temp files.
> 
> (I do not think an openvpn *client* config will need a to create
> files, but this needs testing)
> 

Even if you find a way to store temporary files, I'm still not sure what can be 
done with ifconfig-pool-persist. It's not a temp file, it should be persistent.
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] [PATCH 1/1] add more security features for systemd units

2016-12-12 Thread Gert Doering
Hi,

On Fri, Dec 09, 2016 at 07:13:03PM +0100, Christian Hesse wrote:
> From: Christian Hesse 
> 
> ProtectSystem=strict mounts the entire file system hierarchy read-only,
> except for the API file system subtrees /dev, /proc and /sys (which can
> be protected using PrivateDevices=, ProtectKernelTunables=,
> ProtectControlGroups=).

Unless the temp directories are still writeable, this will break 
server configs with --client-connect scripts or plugins trying to hand 
back config settings via temp files.

(I do not think an openvpn *client* config will need a to create
files, but this needs testing)

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] [PATCH 1/1] add more security features for systemd units

2016-12-10 Thread David Sommerseth
On 10/12/16 12:57, Christian Hesse wrote:
> SviMik  on Sat, 2016/12/10 06:06:
>>> You can break this with something like:
>>>
>>> status /etc/openvpn/client/status.log
>>>
>>> in your configuration. Writing a status file
>>> to /run/openvpn-{client,server}/status.log works, though. So the default
>>> setups should be fine. Do we have any more cases where openvpn wants write
>>> access for whatever?  
>>
>> From my configuration:
>> 1) status
> 
> That is fine if it is written to /run/openvpn-{client,server}/. It breaks
> with the status file in /etc/openvpn/{client,server}/ or example.

FWIW, the default SELinux policies actually denies any openvpn_exec_t
process to write to /etc ... I believe that is independent of Linux
distros, as long as SELinux have been enabled and the system is Enforced
mode.

>> 2) ifconfig-pool-persist
> 
> That is a problem... As the name suggests this should be persistent. :-/

Same SELinux issue here too.  IIRC, these files needs to be located
under /var/lib/openvpn or /var/run/openvpn.  But I do see there is one
exception ... /etc/openvpn/ipp\.txt will be labelled openvpn_etc_rw_t,
which is OpenVPN is allowed to write to.

>> 3) tmp-dir (for storing openvpn_pf_*.tmp files)
> 
> Never used this. What is it for?
> Anyway, I think this is not persistent stuff? Writing to /tmp/
> or /run/openvpn-{client,server}/ should be fine.

The openvpn_pf_*.tmp files are just one thing.  If you use
--auth-user-pass-verify script hooks or perhaps even --plugin for
authentication, other temp files are generated in the default tmp-dir.
See commit 4e1cc5f6dda22e9ff12 for more info.

>> 4) client-connect script may want to write something
> 
> My scripts do some configuration and dbus-stuff, but do not write anything...
> Writing to read-only path would fail, of course.

Again, SELinux can again block this already ... unless you write in the
properly labelled directories for OpenVPN.

>> 5) a plugin may want to write something
> 
> Same here... /run/ and /tmp/ is fine, other paths fail.

The same as 4)

>> For me even the read-only option will break nearly *everything*. And for
>> user it will be completely not obvious why his scripts doesn't work, why
>> his status file is not updated, and what's wrong with ifconfig-pool-persist.
> 
> Well, the error message should include something like: "cannot open file
> 'file': Read-only file system".
> 
> But this is more problematic than I thought initially.

If we have some directories which complies with the SELinux policies in
regards to read/write privileges, we should be fine.  And restricting
which directories OpenVPN can write to is quite sane.  All those plenty
of blogs putting runtime status files into /etc/openvpn have
misunderstood quite some of the concept of the Unix file system layout.


-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc




signature.asc
Description: OpenPGP digital signature
--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] [PATCH 1/1] add more security features for systemd units

2016-12-10 Thread Christian Hesse
SviMik  on Sat, 2016/12/10 06:06:
> > You can break this with something like:
> > 
> > status /etc/openvpn/client/status.log
> > 
> > in your configuration. Writing a status file
> > to /run/openvpn-{client,server}/status.log works, though. So the default
> > setups should be fine. Do we have any more cases where openvpn wants write
> > access for whatever?  
> 
> From my configuration:
> 1) status

That is fine if it is written to /run/openvpn-{client,server}/. It breaks
with the status file in /etc/openvpn/{client,server}/ or example.

> 2) ifconfig-pool-persist

That is a problem... As the name suggests this should be persistent. :-/

> 3) tmp-dir (for storing openvpn_pf_*.tmp files)

Never used this. What is it for?
Anyway, I think this is not persistent stuff? Writing to /tmp/
or /run/openvpn-{client,server}/ should be fine.

> 4) client-connect script may want to write something

My scripts do some configuration and dbus-stuff, but do not write anything...
Writing to read-only path would fail, of course.

> 5) a plugin may want to write something

Same here... /run/ and /tmp/ is fine, other paths fail.

> For me even the read-only option will break nearly *everything*. And for
> user it will be completely not obvious why his scripts doesn't work, why
> his status file is not updated, and what's wrong with ifconfig-pool-persist.

Well, the error message should include something like: "cannot open file
'file': Read-only file system".

But this is more problematic than I thought initially.
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpkdE7knZNap.pgp
Description: OpenPGP digital signature
--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] [PATCH 1/1] add more security features for systemd units

2016-12-09 Thread SviMik
> You can break this with something like:
> 
> status /etc/openvpn/client/status.log
> 
> in your configuration. Writing a status file
> to /run/openvpn-{client,server}/status.log works, though. So the default
> setups should be fine. Do we have any more cases where openvpn wants write
> access for whatever?

>From my configuration:
1) status
2) ifconfig-pool-persist
3) tmp-dir (for storing openvpn_pf_*.tmp files)
4) client-connect script may want to write something
5) a plugin may want to write something

For me even the read-only option will break nearly *everything*. And for user 
it will be completely not obvious why his scripts doesn't work, why his status 
file is not updated, and what's wrong with ifconfig-pool-persist.
--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] [PATCH 1/1] add more security features for systemd units

2016-12-09 Thread Christian Hesse
David Sommerseth  on Fri, 2016/12/09 20:42:
> On 09/12/16 19:13, Christian Hesse wrote:
> > From: Christian Hesse 
> > 
> > ProtectSystem=strict mounts the entire file system hierarchy read-only,
> > except for the API file system subtrees /dev, /proc and /sys (which can
> > be protected using PrivateDevices=, ProtectKernelTunables=,
> > ProtectControlGroups=).
> > 
> > ProtectHome=true makes the directories /home, /root and /run/user
> > inaccessible and empty for the process.  
> 
> Currently I don't think we can use ProtectedHome=  as it is fully
> possible to save certificates and keys under $HOME/.cert on Fedora/RHEL
> (and clones).  There is even a specific SELinux label for files in that
> path, home_cert_t.

I know that NetworkManager and its openvpn plugin use $HOME/.cert/... But
openvpn is not started from systemd then. Do we have setups where openvpn
starts from systemd and reads certificates from $HOME?

ProtectHome=read-only could help here... But I would still prefer
ProtectHome=true.

BTW, setting can be overwritten with something like:

mkdir /etc/systemd/system/openvpn-client@example.service.d
cat > /etc/systemd/system/openvpn-client@example.service.d/protecthome.conf
< For the others, I think they are more reasonable ... But I need to dig
> into the more murky details to be 100% they are safe for us.  This is
> anyhow something we need to postpone until after 2.4.0 ... I don't dare
> adding more things which may backfire in rc2, as we're on a strict
> schedule to manage the next Debian release.
> 
> Once rc2 settles, I will start playing with this patch.

Agreed this is post-2.4.0 stuff. ;)

You can break this with something like:

status /etc/openvpn/client/status.log

in your configuration. Writing a status file
to /run/openvpn-{client,server}/status.log works, though. So the default
setups should be fine. Do we have any more cases where openvpn wants write
access for whatever?
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpsreZ2srCdu.pgp
Description: OpenPGP digital signature
--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] [PATCH 1/1] add more security features for systemd units

2016-12-09 Thread David Sommerseth
On 09/12/16 19:13, Christian Hesse wrote:
> From: Christian Hesse 
> 
> ProtectSystem=strict mounts the entire file system hierarchy read-only,
> except for the API file system subtrees /dev, /proc and /sys (which can
> be protected using PrivateDevices=, ProtectKernelTunables=,
> ProtectControlGroups=).
> 
> ProtectHome=true makes the directories /home, /root and /run/user
> inaccessible and empty for the process.

Currently I don't think we can use ProtectedHome=  as it is fully
possible to save certificates and keys under $HOME/.cert on Fedora/RHEL
(and clones).  There is even a specific SELinux label for files in that
path, home_cert_t.

For the others, I think they are more reasonable ... But I need to dig
into the more murky details to be 100% they are safe for us.  This is
anyhow something we need to postpone until after 2.4.0 ... I don't dare
adding more things which may backfire in rc2, as we're on a strict
schedule to manage the next Debian release.

Once rc2 settles, I will start playing with this patch.


-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc




signature.asc
Description: OpenPGP digital signature
--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] [PATCH 1/1] add more security features for systemd units

2016-12-09 Thread Christian Hesse
From: Christian Hesse 

ProtectSystem=strict mounts the entire file system hierarchy read-only,
except for the API file system subtrees /dev, /proc and /sys (which can
be protected using PrivateDevices=, ProtectKernelTunables=,
ProtectControlGroups=).

ProtectHome=true makes the directories /home, /root and /run/user
inaccessible and empty for the process.

See systemd.exec(5) [0] for details.

[0] https://www.freedesktop.org/software/systemd/man/systemd.exec.html

Signed-off-by: Christian Hesse 
---
 distro/systemd/openvpn-client@.service | 2 ++
 distro/systemd/openvpn-server@.service | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/distro/systemd/openvpn-client@.service 
b/distro/systemd/openvpn-client@.service
index 5618af3..3a9b7e2 100644
--- a/distro/systemd/openvpn-client@.service
+++ b/distro/systemd/openvpn-client@.service
@@ -17,6 +17,8 @@ CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW 
CAP_SETGID CAP_SETU
 LimitNPROC=10
 DeviceAllow=/dev/null rw
 DeviceAllow=/dev/net/tun rw
+ProtectSystem=strict
+ProtectHome=true
 
 [Install]
 WantedBy=multi-user.target
diff --git a/distro/systemd/openvpn-server@.service 
b/distro/systemd/openvpn-server@.service
index b9b4dba..a9e57b2 100644
--- a/distro/systemd/openvpn-server@.service
+++ b/distro/systemd/openvpn-server@.service
@@ -17,6 +17,8 @@ CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN 
CAP_NET_BIND_SERVICE CAP_NET_RA
 LimitNPROC=10
 DeviceAllow=/dev/null rw
 DeviceAllow=/dev/net/tun rw
+ProtectSystem=strict
+ProtectHome=true
 
 [Install]
 WantedBy=multi-user.target
-- 
2.10.2


--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel