Add CAP_AUDIT_WRITE to non-upstream services

Bug #1828771 reported by Christian Ehrhardt  on 2019-05-13
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openvpn (Debian)
Fix Released
Unknown
openvpn (Ubuntu)
Status tracked in Eoan
Bionic
Undecided
Unassigned
Cosmic
Undecided
Unassigned
Disco
Undecided
Unassigned
Eoan
Undecided
Unassigned

Bug Description

[Impact]

 * non-default but still common openvpn setups use callout scripts with
   sudo (if the openvpn user was set up to work with sudo). That breaks in
   >=Bionic since CAP_AUDIT_WRITE was dropped which makes pam/sudo denying
   the call.

 * We brought the change upstream (they have an own .deb package) and want
   to backport into B/C/D

[Test Case]

 * The following should work for two KVM Guests on the same virtual
   network.
 * details in https://www.techgrube.de/tutorials/openvpn-server-mit-ipv4-
und-ipv6 which the reporter and I followed (warning: non commands are
   german)

 * there is no need to do any of the IPV6 stuff in the guide nor the
   iptables actions

 TL;DR would be:
 * apt install openvpn (on client and server)
   $ sudo apt install openvpn easy-rsa
   Use easy-rsa to create 1 server and 1 client certificate
   See the link above for commands to do so if you are unfamiliar
 * add "openvpn" user and grant him sudo permission for your test script
   $ addgroup --system --no-create-home --disabled-login --group openvpn
   $ adduser --system --no-create-home --disabled-login --ingroup openvpn openvpn
 * add server/client config (copy and modify from those in /usr/share)
   the important bit is to have a sudo call to a helper like:
     learn-address "/usr/bin/sudo -u root /etc/openvpn/scripts/test.sh"
client.conf
client
dev tun
proto udp
remote 192.168.122.29 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/guest1.crt
key /etc/openvpn/easy-rsa/pki/private/guest1.key
remote-cert-tls server
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
auth SHA512
comp-lzo
verb 6
explicit-exit-notify

server.conf
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
script-security 2
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
auth SHA512
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 6
user openvpn
group openvpn

 * Create the test script
   $ sudo mkdir -p /etc/openvpn/scripts/
   $ sudo echo "id" >> /etc/openvpn/scripts/test.sh
   $ sudo chmod +x /etc/openvpn/scripts/test.sh
 * Start the server service and run journalctl -f
      And here is the important part for this sub-bug of bug 1787208.
      To use the service files you'd not run openvpn@server which would be
      the default Debian/Ubuntu templated service files.
      Instead you'd use `systemctl restart openvpn-server@server`
      Mind the extra -server
 * Let the client connect (you will see the denies on the server)

[Regression Potential]

 * It adds one allowed capability (a rather safe one btw) to the service
   of openvpn. There should be no regression risk breaking functional
   setups.
   If anything I'd have security concerns, but since it was this way in
   Xenial and already is that way on "the other" set of .service files
   that should not matter.

[Other Info]

 * This was in Xenial, picked by upstream for their own .deb package but
   not integrated in their actual repository. Debian by aligning with
   upstream dropped it and we followed. This time we made sure it gets
   upstream and therefore hopefully should not reoccur again
 * This was already fixed in bug 1787208 , but the package has two sets of
   .service files and this change fixes the one that still is affected.

---

For a while openvpn is haunted by having two sets of services a bunch from upstream and pair from the debian packaging.

Every now and then changes fix one but miss the other.

In this case the fix for bug 1787208 was only applied to the former openvpn@.service (Debian packaging) but not the latter openvpn-server@.service (service files from upstream).

Please correct this in the same releases as the older bug.

Related branches

Fixed in 2.4.7-1 so we could/should start with a Merge for Eoan.

tags: added: server-next
Changed in openvpn (Ubuntu Eoan):
status: New → Triaged
description: updated
Changed in openvpn (Debian):
status: Unknown → Fix Released
Changed in openvpn (Ubuntu Eoan):
status: Triaged → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openvpn - 2.4.7-1ubuntu1

---------------
openvpn (2.4.7-1ubuntu1) eoan; urgency=medium

  * Merge with Debian unstable (LP: #1828771). Remaining changes:
    - d/control: Demote easy-rsa to Suggests (universe package).
    - debian/openvpn@.service: Add '--script-security 2' similar to what got
      added to debian/openvpn.init.d ages ago (LP 1454725)
    - d/p/openvpn-fips-2.4.patch: Allow MD5 in FIPS mode (openssl) for PRF.
      (LP 1807439)
  * Dropped changes:
    - d/openvpn@.service: Add CAP_AUDIT_WRITE to avoid issues with callout
      scripts breaking due to sudo/pam being unable to audit the action.
      Fixed in upstream issue #918, suggested to Debian in #868806 (LP 1787208)
      [in Debian now]

 -- Christian Ehrhardt <email address hidden> Mon, 13 May 2019 15:55:22 +0200

Changed in openvpn (Ubuntu Eoan):
status: In Progress → Fix Released
description: updated

the upstream change that fixes it in the upstream files (we have waited for the discussion there to conclude):
=> https://github.com/OpenVPN/openvpn/commit/a564781cfd9912d0f755394d1fa610706d93e707

Added SRU Template, based on the older bug.
Pushed tags and sponsored for the SRU-Teams review.

description: updated

Hello Christian, or anyone else affected,

Accepted openvpn into disco-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openvpn/2.4.6-1ubuntu3.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-disco to verification-done-disco. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-disco. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in openvpn (Ubuntu Disco):
status: New → Fix Committed
tags: added: verification-needed verification-needed-disco

This also waits in Bionic and Cosmic.
I'll wait with verification until those are accepted as well (for efficiency)

Łukasz Zemczak (sil2100) wrote :

There seems to already be an openvpn SRU in progress for cosmic - awaiting verification. I will only be able to accept this one once the other is released or if the package is re-uploaded with -v to include the other SRU in it (after coordinating it with the previous uploader).

Yeah you are right Lukasz, I have seen the ping on the other bug by Raof.
Let me ask Joy how she wants to proceed with the one in proposed - thanks for the hint.

Timo Aaltonen (tjaalton) wrote :

Hello Christian, or anyone else affected,

Accepted openvpn into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openvpn/2.4.6-1ubuntu2.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in openvpn (Ubuntu Cosmic):
status: New → Fix Committed
tags: added: verification-needed-cosmic
Changed in openvpn (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed-bionic
Timo Aaltonen (tjaalton) wrote :

Hello Christian, or anyone else affected,

Accepted openvpn into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openvpn/2.4.4-2ubuntu1.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

For the tests/verifications I created the keys for this just once on a cosmic test system, and reused the certificates on all nodes that participated in the test.
This time I followed https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-18-04

For the sake of anyone reproducing this (and since they do not bear any security) I'll attach the tarball with those to easen the task.

Download full text (3.1 KiB)

Copy the keys to /etc/openvpn/server / /etc/openvpn/client respectively
clients:
sudo mv client.conf ca.crt ca.key ta.key client/; sudo mv client1.crt client/client.crt; sudo mv client1.key client/client.key
server:
sudo mv dh.pem ca.crt server.crt server.key ta.key server

Finally set up the remote IPs in the client.conf and start the servers.

Remember to set script-security 2 to call scripts as on "these" service files this isn't the default.

Without sudo setup you'll get like:
Jun 13 12:20:01 bionic-s openvpn[2633]: sudo: no tty present and no askpass program specified
Jun 13 12:20:01 bionic-s sudo[2645]: pam_unix(sudo:auth): conversation failed
Jun 13 12:20:01 bionic-s sudo[2645]: pam_unix(sudo:auth): auth could not identify password for [openvpn]
Jun 13 12:20:01 bionic-s openvpn[2633]: sudo: unable to send audit message: Operation not permitted
Jun 13 12:20:01 bionic-s openvpn[2633]: sudo: unable to send audit message: Operation not permitted
Jun 13 12:20:01 bionic-s sudo[2645]: openvpn : user NOT in sudoers ; TTY=unknown ; PWD=/etc/openvpn/server ; USER=root ; COMMAND=/etc/openvpn/scripts/test.sh add 10.8.0.6 client1

so add this to /etc/sudoers:
openvpn ALL=(ALL) NOPASSWD:ALL

Then you'll get an error:
Jun 13 12:22:31 bionic-s sudo[2681]: openvpn : TTY=unknown ; PWD=/etc/openvpn/server ; USER=root ; COMMAND=/etc/openvpn/scripts/test.sh add 10.8.0.6 client1
Jun 13 12:22:31 bionic-s openvpn[2633]: sudo: unable to send audit message
Jun 13 12:22:31 bionic-s sudo[2681]: PAM audit_log_acct_message() failed: Operation not permitted
Jun 13 12:22:31 bionic-s sudo[2681]: pam_unix(sudo:session): session opened for user root by (uid=0)

I "successfully" got this message on Bionic/Cosmic/Disco.

Upgrading the server to the fixed version on all three servers.

With the new version the issue is fixed:
Jun 13 12:26:19 bionic-s sudo[3330]: openvpn : TTY=unknown ; PWD=/etc/openvpn/server ; USER=root ; COMMAND=/etc/openvpn/scripts/test.sh add 10.8.0.6 client1
Jun 13 12:26:19 bionic-s sudo[3330]: pam_unix(sudo:session): session opened for user root by (uid=0)
Jun 13 12:26:19 bionic-s openvpn[3316]: uid=0(root) gid=0(root) groups=0(root)
Jun 13 12:26:19 bionic-s sudo[3330]: pam_unix(sudo:session): session closed for user root

Jun 13 12:26:20 cosmic-s sudo[4156]: openvpn : TTY=unknown ; PWD=/etc/openvpn/server ; USER=root ; COMMAND=/etc/openvpn/scripts/test.sh add 10.8.0.6 client1
Jun 13 12:26:20 cosmic-s sudo[4156]: pam_unix(sudo:session): session opened for user root by (uid=0)
Jun 13 12:26:20 cosmic-s openvpn[4138]: uid=0(root) gid=0(root) groups=0(root)
Jun 13 12:26:20 cosmic-s sudo[4156]: pam_unix(sudo:session): session closed for user root

Jun 13 12:26:22 disco-s sudo[3913]: openvpn : TTY=unknown ; PWD=/etc/openvpn/server ; USER=root ; COMMAND=/etc/openvpn/scripts/test.sh add 10.8.0.6 client1
Jun 13 12:26:22 disco-s sudo[3913]: pam_unix(sudo:session): session opened for user root by (uid=0)
Jun 13 12:26:22 disco-s openvpn[3895]: uid=0(root) gid=0(root) groups=0(root)
Jun 13 12:26:22 disco-s sudo[3913]: pam_unix(sudo:session): session closed for user root

This confirms that sudo (if setup) now can work as the AUDIT cap is no more blocking ...

Read more...

tags: added: verification-done verification-done-bionic verification-done-cosmic verification-done-disco
removed: verification-needed verification-needed-bionic verification-needed-cosmic verification-needed-disco
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openvpn - 2.4.6-1ubuntu3.1

---------------
openvpn (2.4.6-1ubuntu3.1) disco; urgency=medium

  * d/p/lp-1828771-CapabilityBoundingSet-for-auth_pam.patch: Add CAP_AUDIT_WRITE
    to upstreams set of .service files to avoid issues with callout scripts
    breaking due to sudo/pam being unable to audit the action (LP: #1828771)

 -- Christian Ehrhardt <email address hidden> Tue, 14 May 2019 10:21:37 +0200

Changed in openvpn (Ubuntu Disco):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for openvpn has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openvpn - 2.4.6-1ubuntu2.2

---------------
openvpn (2.4.6-1ubuntu2.2) cosmic; urgency=medium

  * d/p/lp-1828771-CapabilityBoundingSet-for-auth_pam.patch: Add CAP_AUDIT_WRITE
    to upstreams set of .service files to avoid issues with callout scripts
    breaking due to sudo/pam being unable to audit the action (LP: #1828771)

 -- Christian Ehrhardt <email address hidden> Tue, 14 May 2019 10:24:03 +0200

Changed in openvpn (Ubuntu Cosmic):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openvpn - 2.4.4-2ubuntu1.3

---------------
openvpn (2.4.4-2ubuntu1.3) bionic; urgency=medium

  * d/p/lp-1828771-CapabilityBoundingSet-for-auth_pam.patch: Add CAP_AUDIT_WRITE
    to upstreams set of .service files to avoid issues with callout scripts
    breaking due to sudo/pam being unable to audit the action (LP: #1828771)

 -- Christian Ehrhardt <email address hidden> Tue, 14 May 2019 10:25:51 +0200

Changed in openvpn (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.