From patchwork Sun Apr 22 23:28:13 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christian Hesse X-Patchwork-Id: 316 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net (Dovecot) with LMTP id q58BDKin3VqzVQAAIUCqbw for ; Mon, 23 Apr 2018 05:30:16 -0400 Received: from proxy14.mail.ord1d.rsapps.net ([172.30.191.6]) by director11.mail.ord1d.rsapps.net (Dovecot) with LMTP id BgooAKin3VpuDAAAvGGmqA ; Mon, 23 Apr 2018 05:30:16 -0400 Received: from smtp46.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy14.mail.ord1d.rsapps.net with LMTP id yG3DC6in3VqYNQAAtEH5vw ; Mon, 23 Apr 2018 05:30:16 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp46.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=eworm.de; dmarc=none (p=nil; dis=none) header.from=eworm.de X-Suspicious-Flag: YES X-Classification-ID: edc03fe0-46d8-11e8-8429-bc305bf48bb4-1-1 Received: from [216.105.38.7] ([216.105.38.7:60962] helo=lists.sourceforge.net) by smtp46.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id B3/1A-47780-7A7ADDA5; Mon, 23 Apr 2018 05:30:15 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1fAXm9-00050j-4d; Mon, 23 Apr 2018 09:28:45 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1fAXm6-00050K-Vo for openvpn-devel@lists.sourceforge.net; Mon, 23 Apr 2018 09:28:43 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=A004roKvbvm6FNA+4IbLvOlQdrxVbVBUuBcogCzK5kA=; b=GXa3AxU1CDs+hX+qPjT3Bexhbp J2VrCCMgbzB6x4grMQF9bE2weGK/c1VyNl+5Zwz17AWqJh1e/jN/nv2OA31xevTDRrcqceg/t2HXC VIltxSVP25SS7PsT7ysJBDsJdLqgLwzz7ZLpfxN0NVeVJJYFHH1wrb3O09lkQwabOadY=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:MIME-Version: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=A004roKvbvm6FNA+4IbLvOlQdrxVbVBUuBcogCzK5kA=; b=MBhifJvL/+ow+YaSiiAdYmMWC8 60pRIFHcc2RoWIe/EUj5P9rEwl/bBH0PizZpX1bop0Pjb7VIM0pQIxmD+NsMllUNZxrDSEiSX2DPt lu/tjcxKx+7H1mZgdhUEhrOXRotjWmnTKPvJYwPpeF140ADBiJQrtADHuJG4b69JVmGM=; Received: from mx.mylinuxtime.de ([148.251.109.235]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) id 1fAXm0-005QMO-Nm for openvpn-devel@lists.sourceforge.net; Mon, 23 Apr 2018 09:28:42 +0000 Received: from leda.eworm.de (unknown [10.10.4.2]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.mylinuxtime.de (Postfix) with ESMTPSA id BD36E26767; Mon, 23 Apr 2018 11:28:29 +0200 (CEST) DKIM-Filter: OpenDKIM Filter v2.10.3 mx.mylinuxtime.de BD36E26767 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=eworm.de; s=mail; t=1524475709; bh=QcLVLLCfh33sSiXcfaKW41QHynIbMlqQ0J1IiMZW7g4=; h=From:To:Cc:Subject:Date; b=MaVG89qc8CeaglkMT59x8LdeBCLKyr/kx1Se5v8CxDrRmGaLSE8KDLGva8gMR9KFg KWTKT7BbyoJ6u5m2HA/sHGhCcyiWhEPCAO39mbFX05Y9Motu6fe8MviYGrtnCtyzEA CTxkXnBV1AGJa9QJfBsDkjl1Zy4JO/ytjyQuAvEI= Received: by leda.eworm.de (Postfix, from userid 1000) id 25C11101AFD; Mon, 23 Apr 2018 11:28:24 +0200 (CEST) From: Christian Hesse To: OpenVPN Development Date: Mon, 23 Apr 2018 11:28:13 +0200 Message-Id: <20180423092813.24844-1-list@eworm.de> X-Mailer: git-send-email 2.17.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1fAXm0-005QMO-Nm Subject: [Openvpn-devel] [PATCH 1/1] systemd: run openvpn with dedicated user X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Christian Hesse MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Christian Hesse Now that we have a native netlink interface run the process with dedicated user 'openvpn'. This is possible by granting ambient capabilities, see systemd.exec(5). Signed-off-by: Christian Hesse --- .gitignore | 1 + configure.ac | 9 +++++++++ distro/systemd/Makefile.am | 24 ++++++++++++++++++++++- distro/systemd/openvpn-client@.service.in | 4 +++- distro/systemd/openvpn-server@.service.in | 4 +++- distro/systemd/sysusers-openvpn.conf | 1 + distro/systemd/tmpfiles-openvpn.conf | 2 -- distro/systemd/tmpfiles-openvpn.conf.in | 4 ++++ src/openvpn/init.c | 8 ++++++++ 9 files changed, 52 insertions(+), 5 deletions(-) create mode 100644 distro/systemd/sysusers-openvpn.conf delete mode 100644 distro/systemd/tmpfiles-openvpn.conf create mode 100644 distro/systemd/tmpfiles-openvpn.conf.in ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot diff --git a/.gitignore b/.gitignore index 25009d81..00abdd5a 100644 --- a/.gitignore +++ b/.gitignore @@ -55,6 +55,7 @@ doc/openvpn.8.html /doc/doxygen/openvpn.doxyfile distro/rpm/openvpn.spec distro/systemd/*.service +distro/systemd/tmpfiles-openvpn.conf sample/sample-keys/sample-ca/ vendor/.build vendor/dist diff --git a/configure.ac b/configure.ac index 251cb9a2..ef8f5864 100644 --- a/configure.ac +++ b/configure.ac @@ -367,6 +367,7 @@ AC_ARG_VAR([GIT], [path to git utility]) AC_ARG_VAR([SYSTEMD_ASK_PASSWORD], [path to systemd-ask-password utility]) AC_ARG_VAR([SYSTEMD_UNIT_DIR], [Path of systemd unit directory @<:@default=LIBDIR/systemd/system@:>@]) AC_ARG_VAR([TMPFILES_DIR], [Path of tmpfiles directory @<:@default=LIBDIR/tmpfiles.d@:>@]) +AC_ARG_VAR([SYSUSERS_DIR], [Path of sysusers directory @<:@default=LIBDIR/sysusers.d@:>@]) AC_PATH_PROGS([IFCONFIG], [ifconfig],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin]) AC_PATH_PROGS([ROUTE], [route],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin]) AC_PATH_PROGS([IPROUTE], [ip],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin]) @@ -1200,6 +1201,12 @@ if test "$enable_systemd" = "yes" ; then else tmpfilesdir="\${libdir}/tmpfiles.d" fi + + if test -n "${SYSUSERS_DIR}"; then + sysusersdir="${SYSUSERS_DIR}" + else + sysusersdir="\${libdir}/sysusers.d" + fi fi @@ -1375,6 +1382,7 @@ AM_CONDITIONAL([GIT_CHECKOUT], [test "${GIT_CHECKOUT}" = "yes"]) AM_CONDITIONAL([ENABLE_PLUGIN_AUTH_PAM], [test "${enable_plugin_auth_pam}" = "yes"]) AM_CONDITIONAL([ENABLE_PLUGIN_DOWN_ROOT], [test "${enable_plugin_down_root}" = "yes"]) AM_CONDITIONAL([HAVE_LD_WRAP_SUPPORT], [test "${have_ld_wrap_support}" = "yes"]) +AM_CONDITIONAL([ENABLE_IPROUTE], [test "${enable_iproute2}" = "yes"]) sampledir="\$(docdir)/sample" AC_SUBST([plugindir]) @@ -1382,6 +1390,7 @@ AC_SUBST([sampledir]) AC_SUBST([systemdunitdir]) AC_SUBST([tmpfilesdir]) +AC_SUBST([sysusersdir]) VENDOR_SRC_ROOT="\$(abs_top_srcdir)/vendor/" VENDOR_DIST_ROOT="\$(abs_top_builddir)/vendor/dist" diff --git a/distro/systemd/Makefile.am b/distro/systemd/Makefile.am index 69e12699..1b7ce5f9 100644 --- a/distro/systemd/Makefile.am +++ b/distro/systemd/Makefile.am @@ -10,14 +10,35 @@ %.service: %.service.in Makefile $(AM_V_GEN)sed -e 's|\@sbindir\@|$(sbindir)|' \ + -e 's|\@SYSTEMD_USER\@|$(SYSTEMD_USER)|' \ + -e 's|\@SYSTEMD_CAPS_OPTION\@|$(SYSTEMD_CAPS_OPTION)|' \ + -e 's|\@SYSTEMD_CAPS_VALUES\@|$(SYSTEMD_CAPS_VALUES)|' \ + $< > $@.tmp && mv $@.tmp $@ + +%.conf: %.conf.in Makefile + $(AM_V_GEN)sed -e 's|\@SYSTEMD_USER\@|$(SYSTEMD_USER)|g' \ $< > $@.tmp && mv $@.tmp $@ EXTRA_DIST = \ - tmpfiles-openvpn.conf \ + sysusers-openvpn.conf \ + tmpfiles-openvpn.conf.in \ openvpn-client@.service.in \ openvpn-server@.service.in if ENABLE_SYSTEMD +if ENABLE_IPROUTE +SYSTEMD_USER=root +SYSTEMD_CAPS_OPTION=CapabilityBoundingSet +SYSTEMD_CAPS_VALUES=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE +else +SYSTEMD_USER=openvpn +SYSTEMD_CAPS_OPTION=AmbientCapabilities +SYSTEMD_CAPS_VALUES=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SYS_CHROOT CAP_DAC_OVERRIDE + +sysusers_DATA = \ + sysusers-openvpn.conf +endif + systemdunit_DATA = \ openvpn-client@.service \ openvpn-server@.service @@ -28,6 +49,7 @@ dist_doc_DATA = \ install-data-hook: mv $(DESTDIR)$(tmpfilesdir)/tmpfiles-openvpn.conf $(DESTDIR)$(tmpfilesdir)/openvpn.conf + mv $(DESTDIR)$(sysusersdir)/sysusers-openvpn.conf $(DESTDIR)$(sysusersdir)/openvpn.conf || true endif MAINTAINERCLEANFILES = \ diff --git a/distro/systemd/openvpn-client@.service.in b/distro/systemd/openvpn-client@.service.in index cbcef653..96cbf68e 100644 --- a/distro/systemd/openvpn-client@.service.in +++ b/distro/systemd/openvpn-client@.service.in @@ -9,9 +9,11 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO [Service] Type=notify PrivateTmp=true +User=@SYSTEMD_USER@ +Group=@SYSTEMD_USER@ WorkingDirectory=/etc/openvpn/client ExecStart=@sbindir@/openvpn --suppress-timestamps --nobind --config %i.conf -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE +@SYSTEMD_CAPS_OPTION@=@SYSTEMD_CAPS_VALUES@ LimitNPROC=10 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw diff --git a/distro/systemd/openvpn-server@.service.in b/distro/systemd/openvpn-server@.service.in index a8366a04..3f00642e 100644 --- a/distro/systemd/openvpn-server@.service.in +++ b/distro/systemd/openvpn-server@.service.in @@ -9,9 +9,11 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO [Service] Type=notify PrivateTmp=true +User=@SYSTEMD_USER@ +Group=@SYSTEMD_USER@ WorkingDirectory=/etc/openvpn/server ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE +@SYSTEMD_CAPS_OPTION@=@SYSTEMD_CAPS_VALUES@ LimitNPROC=10 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw diff --git a/distro/systemd/sysusers-openvpn.conf b/distro/systemd/sysusers-openvpn.conf new file mode 100644 index 00000000..d200852b --- /dev/null +++ b/distro/systemd/sysusers-openvpn.conf @@ -0,0 +1 @@ +u openvpn - "OpenVPN user" / diff --git a/distro/systemd/tmpfiles-openvpn.conf b/distro/systemd/tmpfiles-openvpn.conf deleted file mode 100644 index bb79671e..00000000 --- a/distro/systemd/tmpfiles-openvpn.conf +++ /dev/null @@ -1,2 +0,0 @@ -d /run/openvpn-client 0710 root root - -d /run/openvpn-server 0710 root root - diff --git a/distro/systemd/tmpfiles-openvpn.conf.in b/distro/systemd/tmpfiles-openvpn.conf.in new file mode 100644 index 00000000..f58d2967 --- /dev/null +++ b/distro/systemd/tmpfiles-openvpn.conf.in @@ -0,0 +1,4 @@ +d /run/openvpn-client 0750 @SYSTEMD_USER@ @SYSTEMD_USER@ - +d /run/openvpn-server 0750 @SYSTEMD_USER@ @SYSTEMD_USER@ - +d /etc/openvpn/client 0750 @SYSTEMD_USER@ @SYSTEMD_USER@ - +d /etc/openvpn/server 0750 @SYSTEMD_USER@ @SYSTEMD_USER@ - diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 36c1a4c4..0fc60d62 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -1151,6 +1151,14 @@ do_uid_gid_chroot(struct context *c, bool no_delay) /* set user and/or group if we want to setuid/setgid */ if (c0->uid_gid_specified) { +#ifdef ENABLE_SYSTEMD + if (sd_notify(0, "READY=0") > 0 && getuid() != 0) + { + msg(M_INFO, "NOTE: Running from systemd with non-root uid, skipping downgrade"); + return; + } +#endif + if (no_delay) { platform_group_set(&c0->platform_state_group);