From patchwork Tue Nov 29 14:47:31 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frank Lichtenheld X-Patchwork-Id: 2869 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director14.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id 0ILvNrAbhmN0XQAAIUCqbw (envelope-from ) for ; Tue, 29 Nov 2022 09:48:16 -0500 Received: from proxy19.mail.ord1d.rsapps.net ([172.30.191.6]) by director14.mail.ord1d.rsapps.net with LMTP id 4PFRNrAbhmNHBAAAeJ7fFg (envelope-from ) for ; Tue, 29 Nov 2022 09:48:16 -0500 Received: from smtp24.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy19.mail.ord1d.rsapps.net with LMTPS id 2AcXNrAbhmM3OwAAyH2SIw (envelope-from ) for ; Tue, 29 Nov 2022 09:48:16 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp24.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=lichtenheld.com X-Suspicious-Flag: YES X-Classification-ID: daf8e318-6ff4-11ed-ac3f-52540091a1c4-1-1 Received: from [216.105.38.7] ([216.105.38.7:59410] helo=lists.sourceforge.net) by smtp24.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 75/D8-32074-FAB16836; Tue, 29 Nov 2022 09:48:16 -0500 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1p01tl-0007nq-Kg; Tue, 29 Nov 2022 14:47:49 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1p01th-0007nf-Sd for openvpn-devel@lists.sourceforge.net; Tue, 29 Nov 2022 14:47:45 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=EJ/IDPM9yvw0RYW9CDUljenSYInkeXX1c0f6tx0IVDk=; b=I9iB/maFj83yG3VRccOD3pBdaJ MHlzl7d41PQYImHW09XHKAHN/lSPoRoaKxbCmIIMlgKM9Y3xYm60jpTatzWzMKkiMxwKOEbTeSE/x cxS7dL9pi0qVzJTz/LtDGZsO4Ppwf4J7zBiuuM+Gs8XAsDEkd1jp3Lb1P8AiaE3xq59c=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=EJ/IDPM9yvw0RYW9CDUljenSYInkeXX1c0f6tx0IVDk=; b=l VaU2grEw1CImzhR/KSpNJQ2ySVZ9TEYFgepkAsndogb4ud65PZipK7nVa3svcuwY4eH3PbfvtZum8 n9sV/IokHYcw1BhpM9TSEWiIqh/pOXKKSRaFhp8IiVd/6pBYLNV9NR8SqeP/pWVJz6JdIc9PVLw09 urTr52VSPoJxBwD8=; Received: from mout-p-103.mailbox.org ([80.241.56.161]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1p01tf-000Mme-Ix for openvpn-devel@lists.sourceforge.net; Tue, 29 Nov 2022 14:47:44 +0000 Received: from smtp102.mailbox.org (smtp102.mailbox.org [10.196.197.102]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-103.mailbox.org (Postfix) with ESMTPS id 4NM4tr1kMKz9spg; Tue, 29 Nov 2022 15:47:32 +0100 (CET) From: Frank Lichtenheld To: openvpn-devel@lists.sourceforge.net Date: Tue, 29 Nov 2022 15:47:31 +0100 Message-Id: <20221129144731.35105-1-frank@lichtenheld.com> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Recommend to create an user dedicated to openvpn so that there is no priviledge escalation between different services using that user. cf. https://wiki.ubuntu.com/nobody Trac: #1335 CC: tincantech Signed-off-by: Frank Lichtenheld --- doc/man-sections/generic-options.rst | 9 +++++++-- sample/sample-config-files/client [...] Content analysis details: (-0.7 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [80.241.56.161 listed in list.dnswl.org] 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: ubuntu.com] 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1p01tf-000Mme-Ix Subject: [Openvpn-devel] [PATCH] documentation: avoid recommending --user nobody X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Recommend to create an user dedicated to openvpn so that there is no priviledge escalation between different services using that user. cf. https://wiki.ubuntu.com/nobody Trac: #1335 CC: tincantech Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering --- doc/man-sections/generic-options.rst | 9 +++++++-- sample/sample-config-files/client.conf | 4 ++-- sample/sample-config-files/server.conf | 8 ++++---- sample/sample-config-files/tls-home.conf | 8 ++++---- sample/sample-config-files/tls-office.conf | 8 ++++---- src/openvpn/init.c | 2 +- 6 files changed, 22 insertions(+), 17 deletions(-) Low-hanging fruit found when cleaning up Trac. diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index 394c2186..d2b226c4 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -294,7 +294,7 @@ which mode OpenVPN is configured as. --persist-key Don't re-read key files across :code:`SIGUSR1` or ``--ping-restart``. - This option can be combined with ``--user nobody`` to allow restarts + This option can be combined with ``--user`` to allow restarts triggered by the :code:`SIGUSR1` signal. Normally if you drop root privileges in OpenVPN, the daemon cannot be restarted since it will now be unable to re-read protected key files. @@ -491,7 +491,7 @@ which mode OpenVPN is configured as. able to gain control of an OpenVPN session. Though OpenVPN's security features make this unlikely, it is provided as a second line of defense. - By setting ``user`` to :code:`nobody` or somebody similarly unprivileged, + By setting ``user`` to an unprivileged user dedicated to run openvpn, the hostile party would be limited in what damage they could cause. Of course once you take away privileges, you cannot return them to an OpenVPN session. This means, for example, that if you want to reset an @@ -501,5 +501,10 @@ which mode OpenVPN is configured as. operations in order to restart (such as re-reading key files or running ``ifconfig`` on the TUN device). + NOTE: Previous versions of openvpn used :code:`nobody` as the example + unpriviledged user. It is not recommended to actually use that user + since it is usually used by other system services already. Always + create a dedicated user for openvpn. + --writepid file Write OpenVPN's main process ID to ``file``. diff --git a/sample/sample-config-files/client.conf b/sample/sample-config-files/client.conf index 47ca4099..15cb1b37 100644 --- a/sample/sample-config-files/client.conf +++ b/sample/sample-config-files/client.conf @@ -58,8 +58,8 @@ resolv-retry infinite nobind # Downgrade privileges after initialization (non-Windows only) -;user nobody -;group nobody +;user openvpn +;group openvpn # Try to preserve some state across restarts. persist-key diff --git a/sample/sample-config-files/server.conf b/sample/sample-config-files/server.conf index e7020639..d9345b64 100644 --- a/sample/sample-config-files/server.conf +++ b/sample/sample-config-files/server.conf @@ -269,10 +269,10 @@ cipher AES-256-CBC # It's a good idea to reduce the OpenVPN # daemon's privileges after initialization. # -# You can uncomment this out on -# non-Windows systems. -;user nobody -;group nobody +# You can uncomment this on non-Windows +# systems after creating a dedicated user. +;user openvpn +;group openvpn # The persist options will try to avoid # accessing certain resources on restart diff --git a/sample/sample-config-files/tls-home.conf b/sample/sample-config-files/tls-home.conf index 3a9297cc..ff19d50d 100644 --- a/sample/sample-config-files/tls-home.conf +++ b/sample/sample-config-files/tls-home.conf @@ -47,11 +47,11 @@ cipher AES-256-GCM # for local and remote. ; port 1194 -# Downgrade UID and GID to -# "nobody" after initialization +# Downgrade UID and GID to an +# unpriviledged user after initialization # for extra security. -; user nobody -; group nobody +; user openvpn +; group openvpn # If you built OpenVPN with # LZO compression, uncomment diff --git a/sample/sample-config-files/tls-office.conf b/sample/sample-config-files/tls-office.conf index 81052211..152e58a0 100644 --- a/sample/sample-config-files/tls-office.conf +++ b/sample/sample-config-files/tls-office.conf @@ -50,11 +50,11 @@ cipher AES-256-GCM # for local and remote. ; port 1194 -# Downgrade UID and GID to -# "nobody" after initialization +# Downgrade UID and GID to an +# unpriviledged user after initialization # for extra security. -; user nobody -; group nobody +; user openvpn +; group openvpn # If you built OpenVPN with # LZO compression, uncomment diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 0e476977..fee44232 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2020,7 +2020,7 @@ do_close_tun(struct context *c, bool force) } /* Run the down script -- note that it will run at reduced - * privilege if, for example, "--user nobody" was used. */ + * privilege if, for example, "--user" was used. */ run_up_down(c->options.down_script, c->plugins, OPENVPN_PLUGIN_DOWN,