openvpn --script-security is not working

Bug #1124398 reported by Marc Gariépy on 2013-02-13
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
openvpn (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned
Quantal
Undecided
Unassigned

Bug Description

== Rationale ==
The openvpn init script calculates script_security based on what's set in /etc/openvpn/{$NAME}.conf, however that variable isn't currently being passed to openvpn itself.
This was likely caused by a mismerge with Debian.

== Test case ==
1) Don't set script_security in /etc/openvpn/{$NAME}.conf
2) set a line "up ./server.up" in /etc/openvpn/{$NAME}.conf
3) Restart openvpn
4) Ensure that --script-security is passed to the daemon

== Regression potential ==
Can't think of any, unless someone had an invalid script_security value which was currently being ignored and may then break their VPN. However this is technically a bad config and wouldn't really qualify as a bug.

--- original bug report ---

On ubuntu 12.04, the option ""--script-security 2"" is never added to the command line of openvpn daemon
here is the diff that need to be applied to the /etc/init.d/openvpn to start the daemon correctly.

If you need more information, please let me know.
=================================
--- /tmp/openvpn 2013-02-13 13:40:53.885828899 -0500
+++ /etc/init.d/openvpn 2013-02-13 13:13:52.598704452 -0500
@@ -89,7 +89,7 @@
         --pidfile /var/run/openvpn.$NAME.pid \
         --exec $DAEMON -- $OPTARGS --writepid /var/run/openvpn.$NAME.pid \
         $DAEMONARG $STATUSARG --cd $CONFIG_DIR \
- --config $CONFIG_DIR/$NAME.conf < /dev/null || STATUS=1
+ --config $CONFIG_DIR/$NAME.conf $script_security < /dev/null || STATUS=1

     [ "$OMIT_SENDSIGS" -ne 1 ] || ln -s /var/run/openvpn.$NAME.pid /run/sendsigs.omit.d/openvpn.$NAME.pid

=================================

Changed in openvpn (Ubuntu):
status: New → In Progress
status: In Progress → Fix Committed
Changed in openvpn (Ubuntu Precise):
status: New → In Progress
description: updated
Changed in openvpn (Ubuntu Quantal):
status: New → In Progress
Marc Gariépy (mgariepy) on 2013-02-13
description: updated
description: updated
Stéphane Graber (stgraber) wrote :

Uploaded to raring, 12.10 and 12.04. Please help test once it's accepted in -proposed.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openvpn - 2.2.1-8ubuntu3

---------------
openvpn (2.2.1-8ubuntu3) raring; urgency=low

  [ Marc Gariépy ]
  * Add --script-security to the init.d script (was generated but not passed
    to openvpn). (LP: #1124398)
 -- Stephane Graber <email address hidden> Wed, 13 Feb 2013 16:10:48 -0500

Changed in openvpn (Ubuntu):
status: Fix Committed → Fix Released

Hello Marc, or anyone else affected,

Accepted openvpn into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/openvpn/2.2.1-8ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in openvpn (Ubuntu Precise):
status: In Progress → Fix Committed
tags: added: verification-needed
Changed in openvpn (Ubuntu Quantal):
status: In Progress → Fix Committed
Colin Watson (cjwatson) wrote :

Hello Marc, or anyone else affected,

Accepted openvpn into quantal-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/openvpn/2.2.1-8ubuntu2.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Marc Gariépy (mgariepy) wrote :

I just tested the precise-proposed package and it works correctly.
Thnks for pushing this in the archive.

tags: added: verification-done
removed: verification-needed
tags: added: verification-done-precise verification-needed
removed: verification-done
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openvpn - 2.2.1-8ubuntu1.1

---------------
openvpn (2.2.1-8ubuntu1.1) precise-proposed; urgency=low

  [ Marc Gariépy ]
  * Add --script-security to the init.d script (was generated but not passed
    to openvpn). (LP: #1124398)
 -- Stephane Graber <email address hidden> Wed, 13 Feb 2013 16:17:34 -0500

Changed in openvpn (Ubuntu Precise):
status: Fix Committed → Fix Released
Simon Déziel (sdeziel) wrote :

The quantal-proposed package works fine, thanks.

tags: added: verification-done verification-done-quantal
removed: verification-needed

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openvpn - 2.2.1-8ubuntu2.1

---------------
openvpn (2.2.1-8ubuntu2.1) quantal-proposed; urgency=low

  [ Marc Gariépy ]
  * Add --script-security to the init.d script (was generated but not passed
    to openvpn). (LP: #1124398)
 -- Stephane Graber <email address hidden> Wed, 13 Feb 2013 16:10:48 -0500

Changed in openvpn (Ubuntu Quantal):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers