upstream/openvpn
1
0
Fork 0
mirror of https://github.com/OpenVPN/openvpn.git synced 2026-06-09 08:59:57 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

systemd: extend CapabilityBoundingSet for auth_pam

Browse source 
Auth_pam will require audit writes or the connection will be rejected
as the plugin fails to initialize like:
  openvpn[1111]: sudo: unable to send audit message
  openvpn[1111]: sudo: pam_open_session: System error
  openvpn[1111]: sudo: policy plugin failed session initialization

See links from https://community.openvpn.net/openvpn/ticket/918 for
more.

auth_pam is a common use case and capabilties for it should be allowed
by the .service file.

Fixes: #918

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20180829142715.417-2-christian.ehrhardt@canonical.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17432.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This commit is contained in:
Christian Ehrhardt 2018-08-29 16:27:14 +02:00 committed by Gert Doering
parent 7170bef507
commit a564781cfd
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
distro/systemd/openvpn-server@.service.in
View file

@ -11,7 +11,7 @@ Type=notify
PrivateTmp=true
WorkingDirectory=/etc/openvpn/server
ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw