Opened 7 years ago
Closed 3 years ago
#918 closed Bug / Defect (fixed)
openvpn-server@ systemd unit has insufficient capabilities
| Reported by: | jdh28 | Owned by: | David Sommerseth |
|---|---|---|---|
| Priority: | major | Milestone: | release 2.4.7 |
| Component: | Installation | Version: | OpenVPN 2.4.0 (Community Ed) |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | systemd |
| Cc: |
Description
The openvpn-server@ systemd unit has a CapabilityBoundingSet? line in it. On Debian 9 (stretch) this is insufficient and the service cannot accept connections when using the auth-pam plugin.
The CAP_AUDIT_WRITE capability needs to be added.
Change History (10)
comment:1 Changed 7 years ago by
comment:2 Changed 7 years ago by
The Debian unit also has CAP_DAC_READ_SEARCH, but I did not need that for it to work.
The related Debian bugs are: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866523 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868806.
comment:3 Changed 7 years ago by
| Component: | Packaging → Installation |
|---|---|
| Keywords: | systemd added |
| Milestone: | → release 2.4.4 |
| Owner: | set to David Sommerseth |
| Status: | new → accepted |
I have not dug into the core details yet, but that auth-pam and the PAM infrastructure requires additional privileges for writing audit information is quite likely. This is now on my todo-list and will submit patches to the ML asap.
comment:4 Changed 7 years ago by
Can we consider adding CAP_KILL to the list as well?
Example use case is a kill -HUP to dnsmasq in a learn-address script which is now denied.
comment:5 Changed 6 years ago by
Hi,
sorry that I need to revive this old ticket, but I really think the CapabilityBoundingSet? of today is too narrow and breaks some sue cases.
In addition there is quite some confusion going on due a desynced upstream repository (https://github.com/OpenVPN/openvpn) vs upstream .deb file (https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos).
Let me first shed a bit of history on this (as I reconstructed it over the last few days):
- Jan 2016 Debian/Ubuntu? added CAP_AUDIT_WRITE as it is needed for e.g. pam
=>https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=795313
=>https://git.launchpad.net/ubuntu/+source/openvpn/commit/?id=86a1297ef6e98f4ffdbe095519a344ed35eaeb2e
- May 2016 sbuild_wrapper building your upstream .deb package copied from Xenial
=>https://github.com/OpenVPN/sbuild_wrapper/commit/94a3315fa7895ca0eb4699f6874ff859d1e2cbab
It still has that content this way
=>https://github.com/OpenVPN/sbuild_wrapper/blob/master/packaging/xenial/debian/openvpn%40.service
- Janary 2017 Upsteam adds systemd service files
Those are NOT based on the same that systemd_wrapper contains all the time
=>https://github.com/OpenVPN/openvpn/blob/master/distro/systemd/openvpn-server%40.service.in
- June 2017 Debian/Ubuntu? tries to follow upstream guidance and adapts service file to be closer to what is upstream
- June 2017 Debian bug report finds AUDIT_WRITE is needed
=>https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868806
From the discussion there this bug report here is opened
=> https://community.openvpn.net/openvpn/ticket/918
- August 2018 Ubuntu bug report on the same topic (we didn't know initially, but it turned out to be the same)
=> https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1787208
After wondering why some issues occur with the Ubuntu version, but not with the.deb from OpenVpn? we (again) found this is CAP_AUDIT_WRITE
After that let me also please summarize what should be done IMHO:
- please someone take a look and ack to the sugegsted changes to add CAP_AUDIT_WRITE and CAP_KILL to the "official" file at
https://github.com/OpenVPN/openvpn/blob/master/distro/systemd/openvpn-server%40.service.in
- someone also should adapt the sbuild_wrapper to use what the main repo provides as service files to eliminate this gap
=> https://github.com/OpenVPN/sbuild_wrapper/tree/master/packaging/xenial/debian
- once agreed that this is the right thing to do Debian and Ubuntu can adapt the .service file delivered by them to match
I'd hope that this ends up with upstream-openvpn, openvpn .deb file, Ubuntu/Debian? .deb files all having the same content.
comment:6 Changed 6 years ago by
Posted suggested changes to the ML to get this ball rollin
=> https://sourceforge.net/p/openvpn/mailman/message/36403133/
=> https://sourceforge.net/p/openvpn/mailman/message/36403134/
=> https://sourceforge.net/p/openvpn/mailman/message/36403135/
comment:7 Changed 6 years ago by
Citing myself from the mailing list:
I do not like services being allowed to send signals to other processes. As
dnsmasq supports a dbus interface... How about using that? For example to
clear the dns cache of an instance started from Networkmanager:
dbus-send --system --print-reply \
--dest=org.freedesktop.NetworkManager?.dnsmasq /uk/org/thekelleys/dnsmasq \
uk.org.thekelleys.ClearCache?
comment:8 Changed 6 years ago by
I don't mind the KILL signal so much we can keep that off for another discussion.
I like the suggestion if the dbus signal, clearly worth a try for those with a matching setup.
What this bug was originally about and would have to be cleared soon is the AUDIT_WRITE.
Replying on the List as well as needed ...
comment:9 Changed 6 years ago by
FYI - there is an ack now on the patch Mail thread - thanks David!
And shortly after a commit:
commit a564781cfd9912d0f755394d1fa610706d93e707 (master)
commit 7cc372c7f6b4dcc20533433a20dfd5a95f117146 (release/2.4)
Author: Christian Ehrhardt
Date: Wed Aug 29 16:27:14 2018 +0200
systemd: extend CapabilityBoundingSet? for auth_pam
Thanks everybody!
This bug can go to fixed once you released the next minor version I think?
comment:10 Changed 3 years ago by
| Milestone: | release 2.4.4 → release 2.4.7 |
|---|---|
| Resolution: | → fixed |
| Status: | accepted → closed |
Since the ticket said "this can go into fixed", I'll do that now. It went into v2.4.7.
Watching