| Message ID | 20180829142715.417-3-christian.ehrhardt@canonical.com |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | extend systemd service files for common use cases | expand |
Christian Ehrhardt <christian.ehrhardt@canonical.com> on Wed, 2018/08/29 16:27: > It seems a not too uncommon case that learn-address needs to recycle > dnsmasq - to do so it would need CAP_KILL. > > This was suggested on https://community.openvpn.net/openvpn/ticket/918 > > Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> > --- > distro/systemd/openvpn-server@.service.in | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/distro/systemd/openvpn-server@.service.in > b/distro/systemd/openvpn-server@.service.in index d1cc72cb..edace213 100644 > --- a/distro/systemd/openvpn-server@.service.in > +++ b/distro/systemd/openvpn-server@.service.in > @@ -11,7 +11,7 @@ Type=notify > PrivateTmp=true > WorkingDirectory=/etc/openvpn/server > ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log > --status-version 2 --suppress-timestamps --config %i.conf > -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE > CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE > CAP_AUDIT_WRITE +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN > CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT > CAP_DAC_OVERRIDE CAP_AUDIT_WRITE CAP_KILL LimitNPROC=10 > DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw I do not like services being allowed to send signals to other processes. As dnsmasq supports a dbus interface... How about using that? For example to clear the dns cache of an instance started from Networkmanager: dbus-send --system --print-reply \ --dest=org.freedesktop.NetworkManager.dnsmasq /uk/org/thekelleys/dnsmasq \ uk.org.thekelleys.ClearCache
On 29/08/18 21:05, Christian Hesse wrote: > Christian Ehrhardt <christian.ehrhardt@canonical.com> on Wed, 2018/08/29 > 16:27: >> It seems a not too uncommon case that learn-address needs to recycle >> dnsmasq - to do so it would need CAP_KILL. >> >> This was suggested on https://community.openvpn.net/openvpn/ticket/918 >> >> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> >> --- >> distro/systemd/openvpn-server@.service.in | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/distro/systemd/openvpn-server@.service.in >> b/distro/systemd/openvpn-server@.service.in index d1cc72cb..edace213 100644 >> --- a/distro/systemd/openvpn-server@.service.in >> +++ b/distro/systemd/openvpn-server@.service.in >> @@ -11,7 +11,7 @@ Type=notify >> PrivateTmp=true >> WorkingDirectory=/etc/openvpn/server >> ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log >> --status-version 2 --suppress-timestamps --config %i.conf >> -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE >> CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE >> CAP_AUDIT_WRITE +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN >> CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT >> CAP_DAC_OVERRIDE CAP_AUDIT_WRITE CAP_KILL LimitNPROC=10 >> DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw > > I do not like services being allowed to send signals to other processes. As > dnsmasq supports a dbus interface... How about using that? For example to > clear the dns cache of an instance started from Networkmanager: > > dbus-send --system --print-reply \ > --dest=org.freedesktop.NetworkManager.dnsmasq /uk/org/thekelleys/dnsmasq \ > uk.org.thekelleys.ClearCache +1 ... CAP_KILL privileges can too easily prepare the ground for DoS attacks. The D-Bus approach above seems much saner and safer. Also because D-Bus gives a reasonable protection in regards to privilege escalation attacks. But you most likely need to prepare a D-Bus policy for dnsmasq though, to allow the openvpn user (or whatever user who will execute this script) access to the uk.org.thekelleys.ClearCache D-Bus method.
On Thu, Aug 30, 2018 at 1:38 AM David Sommerseth < openvpn@sf.lists.topphemmelig.net> wrote: > On 29/08/18 21:05, Christian Hesse wrote: > > Christian Ehrhardt <christian.ehrhardt@canonical.com> on Wed, 2018/08/29 > > 16:27: > >> It seems a not too uncommon case that learn-address needs to recycle > >> dnsmasq - to do so it would need CAP_KILL. > >> > >> This was suggested on https://community.openvpn.net/openvpn/ticket/918 > >> > >> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> > >> --- > >> distro/systemd/openvpn-server@.service.in | 2 +- > >> 1 file changed, 1 insertion(+), 1 deletion(-) > >> > >> diff --git a/distro/systemd/openvpn-server@.service.in > >> b/distro/systemd/openvpn-server@.service.in index d1cc72cb..edace213 > 100644 > >> --- a/distro/systemd/openvpn-server@.service.in > >> +++ b/distro/systemd/openvpn-server@.service.in > >> @@ -11,7 +11,7 @@ Type=notify > >> PrivateTmp=true > >> WorkingDirectory=/etc/openvpn/server > >> ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log > >> --status-version 2 --suppress-timestamps --config %i.conf > >> -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE > >> CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE > >> CAP_AUDIT_WRITE +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN > >> CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT > >> CAP_DAC_OVERRIDE CAP_AUDIT_WRITE CAP_KILL LimitNPROC=10 > >> DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw > > > > I do not like services being allowed to send signals to other processes. > As > > dnsmasq supports a dbus interface... How about using that? For example to > > clear the dns cache of an instance started from Networkmanager: > > > > dbus-send --system --print-reply \ > > --dest=org.freedesktop.NetworkManager.dnsmasq /uk/org/thekelleys/dnsmasq > \ > > uk.org.thekelleys.ClearCache > > +1 ... CAP_KILL privileges can too easily prepare the ground for DoS > attacks. > > The D-Bus approach above seems much saner and safer. Also because D-Bus > gives > a reasonable protection in regards to privilege escalation attacks. But > you > most likely need to prepare a D-Bus policy for dnsmasq though, to allow the > openvpn user (or whatever user who will execute this script) access to the > uk.org.thekelleys.ClearCache D-Bus method. > I don't mind the KILL signal so much we can keep that off for another discussion. I like the suggestion if the dbus signal, clearly worth a try for those with a matching setup. After all my own thought of "umm KILL might be too much" is why I have split it :-) What bug 918 was originally about and would have to be cleared soon is the CAP_AUDIT_WRITE. So while we seem to agree we don't want/like CAP_KILL, could we add CAP_AUDIT_WRITE as submitted? > -- > kind regards, > > David Sommerseth > OpenVPN Inc > > >
diff --git a/distro/systemd/openvpn-server@.service.in b/distro/systemd/openvpn-server@.service.in index d1cc72cb..edace213 100644 --- a/distro/systemd/openvpn-server@.service.in +++ b/distro/systemd/openvpn-server@.service.in @@ -11,7 +11,7 @@ Type=notify PrivateTmp=true WorkingDirectory=/etc/openvpn/server ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE CAP_KILL LimitNPROC=10 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw
It seems a not too uncommon case that learn-address needs to recycle dnsmasq - to do so it would need CAP_KILL. This was suggested on https://community.openvpn.net/openvpn/ticket/918 Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> --- distro/systemd/openvpn-server@.service.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)