[Openvpn-devel,RFC,2/3] systemd: do not downgrade UID/GID

Message ID	20180401191309.32211-3-list@eworm.de
State	Rejected
Headers	show Return-Path: <openvpn-devel-bounces@lists.sourceforge.net> From: Christian Hesse <list@eworm.de> To: OpenVPN Development <openvpn-devel@lists.sourceforge.net> Date: Sun, 1 Apr 2018 21:13:08 +0200 Message-Id: <20180401191309.32211-3-list@eworm.de> In-Reply-To: <20180401191309.32211-1-list@eworm.de> References: <20180401191309.32211-1-list@eworm.de> SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature Subject: [Openvpn-devel] [RFC 2/3] systemd: do not downgrade UID/GID Precedence: list Cc: Christian Hesse <mail@eworm.de> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox
Series	follow-up netlink support, systemd integration \| expand [Openvpn-devel,RFC,0/3] follow-up netlink support, systemd integration [Openvpn-devel,RFC,1/3] systemd: run openvpn with dedicated user [Openvpn-devel,RFC,2/3] systemd: do not downgrade UID/GID [Openvpn-devel,RFC,3/3] systemd: create configuration directories from tmpfiles

Message ID

20180401191309.32211-3-list@eworm.de

State

Rejected

Headers

From: Christian Hesse <list@eworm.de>
To: OpenVPN Development <openvpn-devel@lists.sourceforge.net>
Date: Sun,  1 Apr 2018 21:13:08 +0200
Message-Id: <20180401191309.32211-3-list@eworm.de>
In-Reply-To: <20180401191309.32211-1-list@eworm.de>
References: <20180401191309.32211-1-list@eworm.de>
Subject: [Openvpn-devel] [RFC 2/3] systemd: do not downgrade UID/GID
Precedence: list
Cc: Christian Hesse <mail@eworm.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: openvpn-devel-bounces@lists.sourceforge.net

Series

follow-up netlink support, systemd integration | expand

Commit Message

Christian Hesse April 1, 2018, 9:13 a.m. UTC

From: Christian Hesse <mail@eworm.de>

Now that systemd starts the process with dedicated user we do no longer
want to downgrade privileges. Also remove CAP_SETGID and CAP_SETUID
from granted privileges.

Signed-off-by: Christian Hesse <mail@eworm.de>
---
 distro/systemd/openvpn-client@.service.in | 2 +-
 distro/systemd/openvpn-server@.service.in | 2 +-
 src/openvpn/init.c                        | 8 ++++++++
 3 files changed, 10 insertions(+), 2 deletions(-)


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

diff --git a/distro/systemd/openvpn-client@.service.in b/distro/systemd/openvpn-client@.service.in
index a103d751..ee7957a6 100644
--- a/distro/systemd/openvpn-client@.service.in
+++ b/distro/systemd/openvpn-client@.service.in
@@ -13,7 +13,7 @@  User=openvpn
 Group=openvpn
 WorkingDirectory=/etc/openvpn/client
 ExecStart=@sbindir@/openvpn --suppress-timestamps --nobind --config %i.conf
-AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
+AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_CHROOT CAP_DAC_OVERRIDE
 LimitNPROC=10
 DeviceAllow=/dev/null rw
 DeviceAllow=/dev/net/tun rw
diff --git a/distro/systemd/openvpn-server@.service.in b/distro/systemd/openvpn-server@.service.in
index 7275e86a..03d28a2e 100644
--- a/distro/systemd/openvpn-server@.service.in
+++ b/distro/systemd/openvpn-server@.service.in
@@ -13,7 +13,7 @@  User=openvpn
 Group=openvpn
 WorkingDirectory=/etc/openvpn/server
 ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf
-AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
+AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SYS_CHROOT CAP_DAC_OVERRIDE
 LimitNPROC=10
 DeviceAllow=/dev/null rw
 DeviceAllow=/dev/net/tun rw
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 36c1a4c4..0fc60d62 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -1151,6 +1151,14 @@  do_uid_gid_chroot(struct context *c, bool no_delay)
         /* set user and/or group if we want to setuid/setgid */
         if (c0->uid_gid_specified)
         {
+#ifdef ENABLE_SYSTEMD
+            if (sd_notify(0, "READY=0") > 0 && getuid() != 0)
+            {
+                msg(M_INFO, "NOTE: Running from systemd with non-root uid, skipping downgrade");
+                return;
+            }
+#endif
+
             if (no_delay)
             {
                 platform_group_set(&c0->platform_state_group);

[Openvpn-devel,RFC,2/3] systemd: do not downgrade UID/GID

Commit Message

Patch