Opened 16 months ago

Last modified 3 months ago

#918 accepted Bug / Defect

openvpn-server@ systemd unit has insufficient capabilities

Reported by: jdh28 Owned by: David Sommerseth
Priority: major Milestone: release 2.4.4
Component: Installation Version: OpenVPN 2.4.0 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: systemd
Cc:

Description

The openvpn-server@ systemd unit has a CapabilityBoundingSet? line in it. On Debian 9 (stretch) this is insufficient and the service cannot accept connections when using the auth-pam plugin.

The CAP_AUDIT_WRITE capability needs to be added.

Change History (9)

comment:1 Changed 16 months ago by tincantech

Watching

comment:2 Changed 16 months ago by jdh28

The Debian unit also has CAP_DAC_READ_SEARCH, but I did not need that for it to work.

The related Debian bugs are: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866523 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868806.

comment:3 Changed 16 months ago by David Sommerseth

Component: PackagingInstallation
Keywords: systemd added
Milestone: release 2.4.4
Owner: set to David Sommerseth
Status: newaccepted

I have not dug into the core details yet, but that auth-pam and the PAM infrastructure requires additional privileges for writing audit information is quite likely. This is now on my todo-list and will submit patches to the ML asap.

comment:4 Changed 14 months ago by mazzanet

Can we consider adding CAP_KILL to the list as well?

Example use case is a kill -HUP to dnsmasq in a learn-address script which is now denied.

comment:5 Changed 3 months ago by paelzer

Hi,
sorry that I need to revive this old ticket, but I really think the CapabilityBoundingSet? of today is too narrow and breaks some sue cases.

In addition there is quite some confusion going on due a desynced upstream repository (https://github.com/OpenVPN/openvpn) vs upstream .deb file (https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos).


Let me first shed a bit of history on this (as I reconstructed it over the last few days):

  1. Jan 2016 Debian/Ubuntu? added CAP_AUDIT_WRITE as it is needed for e.g. pam

=>https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=795313
=>https://git.launchpad.net/ubuntu/+source/openvpn/commit/?id=86a1297ef6e98f4ffdbe095519a344ed35eaeb2e

  1. May 2016 sbuild_wrapper building your upstream .deb package copied from Xenial

=>https://github.com/OpenVPN/sbuild_wrapper/commit/94a3315fa7895ca0eb4699f6874ff859d1e2cbab

It still has that content this way

=>https://github.com/OpenVPN/sbuild_wrapper/blob/master/packaging/xenial/debian/openvpn%40.service

  1. Janary 2017 Upsteam adds systemd service files

Those are NOT based on the same that systemd_wrapper contains all the time
=>https://github.com/OpenVPN/openvpn/blob/master/distro/systemd/openvpn-server%40.service.in

  1. June 2017 Debian/Ubuntu? tries to follow upstream guidance and adapts service file to be closer to what is upstream

=> https://git.launchpad.net/ubuntu/+source/openvpn/commit/?id=86a1297ef6e98f4ffdbe095519a344ed35eaeb2e

  1. June 2017 Debian bug report finds AUDIT_WRITE is needed

=>https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868806
From the discussion there this bug report here is opened
=> https://community.openvpn.net/openvpn/ticket/918

  1. August 2018 Ubuntu bug report on the same topic (we didn't know initially, but it turned out to be the same)

=> https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1787208
After wondering why some issues occur with the Ubuntu version, but not with the.deb from OpenVpn? we (again) found this is CAP_AUDIT_WRITE


After that let me also please summarize what should be done IMHO:

  1. please someone take a look and ack to the sugegsted changes to add CAP_AUDIT_WRITE and CAP_KILL to the "official" file at

https://github.com/OpenVPN/openvpn/blob/master/distro/systemd/openvpn-server%40.service.in

  1. someone also should adapt the sbuild_wrapper to use what the main repo provides as service files to eliminate this gap

=> https://github.com/OpenVPN/sbuild_wrapper/tree/master/packaging/xenial/debian

  1. once agreed that this is the right thing to do Debian and Ubuntu can adapt the .service file delivered by them to match

I'd hope that this ends up with upstream-openvpn, openvpn .deb file, Ubuntu/Debian? .deb files all having the same content.

comment:7 Changed 3 months ago by eworm

Citing myself from the mailing list:

I do not like services being allowed to send signals to other processes. As
dnsmasq supports a dbus interface... How about using that? For example to
clear the dns cache of an instance started from Networkmanager:

dbus-send --system --print-reply \
--dest=org.freedesktop.NetworkManager?.dnsmasq /uk/org/thekelleys/dnsmasq \
uk.org.thekelleys.ClearCache?

comment:8 Changed 3 months ago by paelzer

I don't mind the KILL signal so much we can keep that off for another discussion.
I like the suggestion if the dbus signal, clearly worth a try for those with a matching setup.

What this bug was originally about and would have to be cleared soon is the AUDIT_WRITE.

Replying on the List as well as needed ...

comment:9 Changed 3 months ago by paelzer

FYI - there is an ack now on the patch Mail thread - thanks David!
And shortly after a commit:

commit a564781cfd9912d0f755394d1fa610706d93e707 (master)
commit 7cc372c7f6b4dcc20533433a20dfd5a95f117146 (release/2.4)
Author: Christian Ehrhardt
Date: Wed Aug 29 16:27:14 2018 +0200

systemd: extend CapabilityBoundingSet? for auth_pam

Thanks everybody!

This bug can go to fixed once you released the next minor version I think?

Note: See TracTickets for help on using tickets.