OpenVPN deletes its own user group in Hardy.

Thank you for your bug report.

I might be missing some information, but as far as I can tell the OpenVPN package (in Gutsy or hardy) does not create an "openvpn" user account or group, so I cannot reproduce the behavior you describe. Could you please explain what exactly happened : name of the user or group that were created, the version you originally installed, the version you upgraded to, the type of upgrade you've performed...

Thanks in advance for the extra info.

OpenVPN is (or should be for security reasons) configured to run as the user 'openvpn' not root. This is so should openVPN become compromised, it doesn't root the whole box.

I entirely agree. However the "is" and "should be" situations aren't the same:

1/ openvpn runs as root when installed, and if you change it later to run as "openvpn", whenever you upgrade you're back to root. openvpn should be running as the user 'openvpn' for security reasons.

2/ openvpn is configured to run as openvpn user out-of-the-box in Gutsy, and when you upgrade to hardy it runs as root.

If you're experiencing (1), then this bug is a wishlist bug that openvpn should be installed in Ubuntu to run as an "openvpn" user rather than the root user.

If you're experiencing (2), then this bug is a security regression from previous behavior, but my testing so far has failed to reproduce that.

Could you confirm that you're in the (1) case, so that I can triage the bug accordingly.

Case number 2.

--- On Wed, 7/23/08, Thierry Carrez <email address hidden> wrote:
From: Thierry Carrez <email address hidden>
Subject: [Bug 241461] Re: OpenVPN deletes its own user group in Hardy.
To: <email address hidden>
Date: Wednesday, July 23, 2008, 11:43 AM

I entirely agree. However the "is" and "should be"
situations aren't the
same:

1/ openvpn runs as root when installed, and if you change it later to
run as "openvpn", whenever you upgrade you're back to root.
openvpn
should be running as the user 'openvpn' for security reasons.

2/ openvpn is configured to run as openvpn user out-of-the-box in Gutsy,
and when you upgrade to hardy it runs as root.

If you're experiencing (1), then this bug is a wishlist bug that openvpn
should be installed in Ubuntu to run as an "openvpn" user rather than
the root user.

If you're experiencing (2), then this bug is a security regression from
previous behavior, but my testing so far has failed to reproduce that.

Could you confirm that you're in the (1) case, so that I can triage the
bug accordingly.

--
OpenVPN deletes its own user group in Hardy.
https://bugs.launchpad.net/bugs/241461
You received this bug notification because you are a direct subscriber
of the bug.

Its case number 2.

>> 2/ openvpn is configured to run as openvpn user out-of-the-box
>> in Gutsy, and when you upgrade to hardy it runs as root.
>
> Case number 2.

Like I said, my testing on a fresh gutsy install has failed to reproduce that :

$ sudo apt-get install openvpn
[...]
$ grep openvpn /etc/passwd | wc -l
0
$ grep openvpn /etc/group | wc -l
0

No "openvpn" user or group is created upon openvpn install in Gutsy. So openvpn isn't configured to run as "openvpn" user out-of-the-box in Gutsy... Furthermore I see no reference to a specific user creation in the Gutsy package.

Could you please explain in more detail and provide the information I asked in comment #3 : name of the user or group that were created, the version you originally installed, the version you upgraded to, the type of upgrade you've performed...

We are closing this bug report because it lacks the information we need to investigate the problem, as described in the previous comment. Please reopen it if you can give us the missing information, and don't hesitate to submit bug reports in the future. To reopen the bug report you can click on the current status, under the Status column, and change the Status back to "New". Thanks again!