Add CAP_AUDIT_WRITE to non-upstream services
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openvpn (Debian) |
Fix Released
|
Unknown
|
|||
openvpn (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned | ||
Cosmic |
Fix Released
|
Undecided
|
Unassigned | ||
Disco |
Fix Released
|
Undecided
|
Unassigned | ||
Eoan |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
* non-default but still common openvpn setups use callout scripts with
sudo (if the openvpn user was set up to work with sudo). That breaks in
>=Bionic since CAP_AUDIT_WRITE was dropped which makes pam/sudo denying
the call.
* We brought the change upstream (they have an own .deb package) and want
to backport into B/C/D
[Test Case]
* The following should work for two KVM Guests on the same virtual
network.
* details in https:/
und-ipv6 which the reporter and I followed (warning: non commands are
german)
* there is no need to do any of the IPV6 stuff in the guide nor the
iptables actions
TL;DR would be:
* apt install openvpn (on client and server)
$ sudo apt install openvpn easy-rsa
Use easy-rsa to create 1 server and 1 client certificate
See the link above for commands to do so if you are unfamiliar
* add "openvpn" user and grant him sudo permission for your test script
$ addgroup --system --no-create-home --disabled-login --group openvpn
$ adduser --system --no-create-home --disabled-login --ingroup openvpn openvpn
* add server/client config (copy and modify from those in /usr/share)
the important bit is to have a sudo call to a helper like:
learn-address "/usr/bin/sudo -u root /etc/openvpn/
client.conf
client
dev tun
proto udp
remote 192.168.122.29 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/
cert /etc/openvpn/
key /etc/openvpn/
remote-cert-tls server
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-ECDHE-
auth SHA512
comp-lzo
verb 6
explicit-
server.conf
port 1194
proto udp
dev tun
ca /etc/openvpn/
cert /etc/openvpn/
key /etc/openvpn/
dh /etc/openvpn/
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-
script-security 2
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
tls-version-min 1.2
tls-cipher TLS-ECDHE-
auth SHA512
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 6
user openvpn
group openvpn
* Create the test script
$ sudo mkdir -p /etc/openvpn/
$ sudo echo "id" >> /etc/openvpn/
$ sudo chmod +x /etc/openvpn/
* Start the server service and run journalctl -f
And here is the important part for this sub-bug of bug 1787208.
To use the service files you'd not run openvpn@server which would be
the default Debian/Ubuntu templated service files.
Instead you'd use `systemctl restart openvpn-
Mind the extra -server
* Let the client connect (you will see the denies on the server)
[Regression Potential]
* It adds one allowed capability (a rather safe one btw) to the service
of openvpn. There should be no regression risk breaking functional
setups.
If anything I'd have security concerns, but since it was this way in
Xenial and already is that way on "the other" set of .service files
that should not matter.
[Other Info]
* This was in Xenial, picked by upstream for their own .deb package but
not integrated in their actual repository. Debian by aligning with
upstream dropped it and we followed. This time we made sure it gets
upstream and therefore hopefully should not reoccur again
* This was already fixed in bug 1787208 , but the package has two sets of
.service files and this change fixes the one that still is affected.
---
For a while openvpn is haunted by having two sets of services a bunch from upstream and pair from the debian packaging.
Every now and then changes fix one but miss the other.
In this case the fix for bug 1787208 was only applied to the former openvpn@.service (Debian packaging) but not the latter openvpn-
Please correct this in the same releases as the older bug.
Related branches
- Andreas Hasenack: Approve
- Canonical Server: Pending requested
- git-ubuntu developers: Pending requested
-
Diff: 80 lines (+58/-0)3 files modifieddebian/changelog (+8/-0)
debian/patches/lp-1828771-CapabilityBoundingSet-for-auth_pam.patch (+49/-0)
debian/patches/series (+1/-0)
- Andreas Hasenack: Approve
- Canonical Server: Pending requested
- git-ubuntu developers: Pending requested
-
Diff: 80 lines (+58/-0)3 files modifieddebian/changelog (+8/-0)
debian/patches/lp-1828771-CapabilityBoundingSet-for-auth_pam.patch (+49/-0)
debian/patches/series (+1/-0)
- Andreas Hasenack: Approve
- Canonical Server: Pending requested
- Canonical Server packageset reviewers: Pending requested
-
Diff: 80 lines (+58/-0)3 files modifieddebian/changelog (+8/-0)
debian/patches/lp-1828771-CapabilityBoundingSet-for-auth_pam.patch (+49/-0)
debian/patches/series (+1/-0)
- Andreas Hasenack: Approve
- Canonical Server: Pending requested
- git-ubuntu developers: Pending requested
-
Diff: 971 lines (+706/-4)5 files modifieddebian/changelog (+598/-0)
debian/control (+4/-3)
debian/openvpn@.service (+1/-1)
debian/patches/openvpn-fips-2.4.patch (+102/-0)
debian/patches/series (+1/-0)
Changed in openvpn (Debian): | |
status: | Unknown → Fix Released |
Changed in openvpn (Ubuntu Eoan): | |
status: | Triaged → In Progress |
description: | updated |
Fixed in 2.4.7-1 so we could/should start with a Merge for Eoan.