[Openvpn-devel,2/2] systemd: extend CapabilityBoundingSet for learn-address

Message ID 20180829142715.417-3-christian.ehrhardt@canonical.com
State Changes Requested
Headers show
Series
  • extend systemd service files for common use cases
Related show

Commit Message

Christian Ehrhardt Aug. 29, 2018, 2:27 p.m.
It seems a not too uncommon case that learn-address needs to recycle
dnsmasq - to do so it would need CAP_KILL.

This was suggested on https://community.openvpn.net/openvpn/ticket/918

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
---
 distro/systemd/openvpn-server@.service.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Christian Hesse Aug. 29, 2018, 7:05 p.m. | #1
Christian Ehrhardt <christian.ehrhardt@canonical.com> on Wed, 2018/08/29
16:27:
> It seems a not too uncommon case that learn-address needs to recycle
> dnsmasq - to do so it would need CAP_KILL.
> 
> This was suggested on https://community.openvpn.net/openvpn/ticket/918
> 
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
> ---
>  distro/systemd/openvpn-server@.service.in | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/distro/systemd/openvpn-server@.service.in
> b/distro/systemd/openvpn-server@.service.in index d1cc72cb..edace213 100644
> --- a/distro/systemd/openvpn-server@.service.in
> +++ b/distro/systemd/openvpn-server@.service.in
> @@ -11,7 +11,7 @@ Type=notify
>  PrivateTmp=true
>  WorkingDirectory=/etc/openvpn/server
>  ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log
> --status-version 2 --suppress-timestamps --config %i.conf
> -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE
> CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
> CAP_AUDIT_WRITE +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN
> CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
> CAP_DAC_OVERRIDE CAP_AUDIT_WRITE CAP_KILL LimitNPROC=10
> DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw

I do not like services being allowed to send signals to other processes. As
dnsmasq supports a dbus interface... How about using that? For example to
clear the dns cache of an instance started from Networkmanager:

dbus-send --system --print-reply \
--dest=org.freedesktop.NetworkManager.dnsmasq /uk/org/thekelleys/dnsmasq \
uk.org.thekelleys.ClearCache
David Sommerseth Aug. 29, 2018, 11:38 p.m. | #2
On 29/08/18 21:05, Christian Hesse wrote:
> Christian Ehrhardt <christian.ehrhardt@canonical.com> on Wed, 2018/08/29
> 16:27:
>> It seems a not too uncommon case that learn-address needs to recycle
>> dnsmasq - to do so it would need CAP_KILL.
>>
>> This was suggested on https://community.openvpn.net/openvpn/ticket/918
>>
>> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
>> ---
>>  distro/systemd/openvpn-server@.service.in | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/distro/systemd/openvpn-server@.service.in
>> b/distro/systemd/openvpn-server@.service.in index d1cc72cb..edace213 100644
>> --- a/distro/systemd/openvpn-server@.service.in
>> +++ b/distro/systemd/openvpn-server@.service.in
>> @@ -11,7 +11,7 @@ Type=notify
>>  PrivateTmp=true
>>  WorkingDirectory=/etc/openvpn/server
>>  ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log
>> --status-version 2 --suppress-timestamps --config %i.conf
>> -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE
>> CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
>> CAP_AUDIT_WRITE +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN
>> CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
>> CAP_DAC_OVERRIDE CAP_AUDIT_WRITE CAP_KILL LimitNPROC=10
>> DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw
> 
> I do not like services being allowed to send signals to other processes. As
> dnsmasq supports a dbus interface... How about using that? For example to
> clear the dns cache of an instance started from Networkmanager:
> 
> dbus-send --system --print-reply \
> --dest=org.freedesktop.NetworkManager.dnsmasq /uk/org/thekelleys/dnsmasq \
> uk.org.thekelleys.ClearCache

+1 ... CAP_KILL privileges can too easily prepare the ground for DoS attacks.

The D-Bus approach above seems much saner and safer.  Also because D-Bus gives
a reasonable protection in regards to privilege escalation attacks.  But you
most likely need to prepare a D-Bus policy for dnsmasq though, to allow the
openvpn user (or whatever user who will execute this script) access to the
uk.org.thekelleys.ClearCache D-Bus method.
Christian Ehrhardt Aug. 30, 2018, 8:02 a.m. | #3
On Thu, Aug 30, 2018 at 1:38 AM David Sommerseth <
openvpn@sf.lists.topphemmelig.net> wrote:

> On 29/08/18 21:05, Christian Hesse wrote:
> > Christian Ehrhardt <christian.ehrhardt@canonical.com> on Wed, 2018/08/29
> > 16:27:
> >> It seems a not too uncommon case that learn-address needs to recycle
> >> dnsmasq - to do so it would need CAP_KILL.
> >>
> >> This was suggested on https://community.openvpn.net/openvpn/ticket/918
> >>
> >> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
> >> ---
> >>  distro/systemd/openvpn-server@.service.in | 2 +-
> >>  1 file changed, 1 insertion(+), 1 deletion(-)
> >>
> >> diff --git a/distro/systemd/openvpn-server@.service.in
> >> b/distro/systemd/openvpn-server@.service.in index d1cc72cb..edace213
> 100644
> >> --- a/distro/systemd/openvpn-server@.service.in
> >> +++ b/distro/systemd/openvpn-server@.service.in
> >> @@ -11,7 +11,7 @@ Type=notify
> >>  PrivateTmp=true
> >>  WorkingDirectory=/etc/openvpn/server
> >>  ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log
> >> --status-version 2 --suppress-timestamps --config %i.conf
> >> -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE
> >> CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
> >> CAP_AUDIT_WRITE +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN
> >> CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
> >> CAP_DAC_OVERRIDE CAP_AUDIT_WRITE CAP_KILL LimitNPROC=10
> >> DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw
> >
> > I do not like services being allowed to send signals to other processes.
> As
> > dnsmasq supports a dbus interface... How about using that? For example to
> > clear the dns cache of an instance started from Networkmanager:
> >
> > dbus-send --system --print-reply \
> > --dest=org.freedesktop.NetworkManager.dnsmasq /uk/org/thekelleys/dnsmasq
> \
> > uk.org.thekelleys.ClearCache
>
> +1 ... CAP_KILL privileges can too easily prepare the ground for DoS
> attacks.
>
> The D-Bus approach above seems much saner and safer.  Also because D-Bus
> gives
> a reasonable protection in regards to privilege escalation attacks.  But
> you
> most likely need to prepare a D-Bus policy for dnsmasq though, to allow the
> openvpn user (or whatever user who will execute this script) access to the
> uk.org.thekelleys.ClearCache D-Bus method.
>

I don't mind the KILL signal so much we can keep that off for another
discussion.
I like the suggestion if the dbus signal, clearly worth a try for those
with a matching setup.

After all my own thought of "umm KILL might be too much" is why I have
split it :-)

What bug 918 was originally about and would have to be cleared soon is the
CAP_AUDIT_WRITE.

So while we seem to agree we don't want/like CAP_KILL, could we add
CAP_AUDIT_WRITE as submitted?


> --
> kind regards,
>
> David Sommerseth
> OpenVPN Inc
>
>
>

Patch

diff --git a/distro/systemd/openvpn-server@.service.in b/distro/systemd/openvpn-server@.service.in
index d1cc72cb..edace213 100644
--- a/distro/systemd/openvpn-server@.service.in
+++ b/distro/systemd/openvpn-server@.service.in
@@ -11,7 +11,7 @@  Type=notify
 PrivateTmp=true
 WorkingDirectory=/etc/openvpn/server
 ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf
-CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE CAP_KILL
 LimitNPROC=10
 DeviceAllow=/dev/null rw
 DeviceAllow=/dev/net/tun rw