Opened 10 months ago

Last modified 8 months ago

#918 accepted Bug / Defect

openvpn-server@ systemd unit has insufficient capabilities

Reported by: jdh28 Owned by: David Sommerseth
Priority: major Milestone: release 2.4.4
Component: Installation Version: OpenVPN 2.4.0 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: systemd
Cc:

Description

The openvpn-server@ systemd unit has a CapabilityBoundingSet? line in it. On Debian 9 (stretch) this is insufficient and the service cannot accept connections when using the auth-pam plugin.

The CAP_AUDIT_WRITE capability needs to be added.

Change History (4)

comment:1 Changed 10 months ago by tincantech

Watching

comment:2 Changed 10 months ago by jdh28

The Debian unit also has CAP_DAC_READ_SEARCH, but I did not need that for it to work.

The related Debian bugs are: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866523 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868806.

comment:3 Changed 10 months ago by David Sommerseth

Component: PackagingInstallation
Keywords: systemd added
Milestone: release 2.4.4
Owner: set to David Sommerseth
Status: newaccepted

I have not dug into the core details yet, but that auth-pam and the PAM infrastructure requires additional privileges for writing audit information is quite likely. This is now on my todo-list and will submit patches to the ML asap.

comment:4 Changed 8 months ago by mazzanet

Can we consider adding CAP_KILL to the list as well?

Example use case is a kill -HUP to dnsmasq in a learn-address script which is now denied.

Note: See TracTickets for help on using tickets.