ProtectSystem=true mounts the /usr and /boot directories read-only.
ProtectHome=true makes the directories /home, /root and /run/user
inaccessible and empty for the process.
See systemd.exec(5) [0] for details.
v2: Replace ProtectSystem=strict with ProtectSystem=true. Some
configurations may want to write to /etc or the like.
[0] https://www.freedesktop.org/software/systemd/man/systemd.exec.html
Signed-off-by: Christian Hesse <mail@eworm.de>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20161227221832.610-1-list@eworm.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13743.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
Different unit instances create and destroy the same RuntimeDirectory.
This leads to running instances where the status file (and possibly
more runtime data) is no longer accessible.
So do not handle this in unit files but provide a tmpfiles.d
configuration and let systemd-tmpfiles do the work.
Nobody will (unintentionally) delete the directories and its content.
As /run is volatile we do not have to care about cleanup.
Signed-off-by: Christian Hesse <mail@eworm.de>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20170124143947.27385-2-list@eworm.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13939.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
If systemd is enabled we install unit files to $libdir/systemd/system
(or the path specified by SYSTEMD_UNIT_DIR).
The unit files are generated on the fly with matching $sbindir.
Signed-off-by: Christian Hesse <mail@eworm.de>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20170124143947.27385-1-list@eworm.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13940.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
We start with systemd Type=notify, so refuse to daemonize. This does not
affect starting openvpn from script or command line.
v2: Update commit message about script and command line.
Signed-off-by: Christian Hesse <mail@eworm.de>
Tested-By: Richard Bonhomme <fragmentux@gmail.com>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20161201213104.5667-2-list@eworm.de>
URL: http://www.mail-archive.com/search?l=mid&q=20161201213104.5667-2-list@eworm.de
Signed-off-by: David Sommerseth <davids@openvpn.net>
Notify systemd service manager when our initialization sequence
completed. This helps ordering services as dependencies can rely on vpn
being available.
v2: Add curly brackets (and indention) to block the else-part, msg()
call was non-conditional before.
v3: Move systemd header include from init.h to init.c.
Signed-off-by: Christian Hesse <mail@eworm.de>
Tested-By: Richard Bonhomme <fragmentux@gmail.com>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20161201213104.5667-1-list@eworm.de>
URL: http://www.mail-archive.com/search?l=mid&q=20161201213104.5667-1-list@eworm.de
Signed-off-by: David Sommerseth <davids@openvpn.net>
There are several changes which allows systemd to take care of several
aspects of hardening the execution of OpenVPN.
- Let systemd take care of the process tracking directly, instead
of doing that via PID files
- Make systemd prepare proper runtime directories for the OpenVPN
process.
- Let systemd do the chdir() before starting OpenVPN. This allows
us to avoid using the --cd option when executing openvpn.
- CAP_DAC_OVERRIDE was needed when using --chroot. Otherwise
the root user would not be allowed to access files/directories
not owned by root. This will change in the future, when we
find better ways to avoid calling chroot() in OpenVPN and
rather let systemd prepare a more isolated namespace.
- Client configurations are now started with --nobind and
the OpenVPN client process have lost the CAP_NET_BIND_SERVICE
capability which allows binding to port < 1024.
- Documentation URL now points at the OpenVPN 2.4 man page URL
The majority of these changes have been proposed by Elias Probst
(eliasp) in the GitHub PR #22.
v3 - Add ExecPreStart= to check if OpenVPN configuration contains
'daemon'. That can break the process tracking as we now use
Type=simple (default)
v2 - Change RuntimeDirectory= to a profile specific (client, server)
directory to avoid clashing with older distro unit files
Commit note: As this is not a critical security change, we apply this
without any formal ACKs. It has been thoroghly tested by
several users. See mailing list for details.
Contribution-by: Elias Probst <mail@eliasprobst.eu>
Signed-off-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1479122408-6867-1-git-send-email-davids@openvpn.net>
URL: http://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13039.html
Systemd can delay starting a service if the network isn't fully available
yet. This feature is useful in client configurations, where OpenVPN will
not be started before the client can reach the Internet. It is the network
service manager which tells systemd if the system is "online" or not.
For server configurations, the OpenVPN should be able to be started,
regardless if the system is "online" or not. This is also the old
behaviour of most of the old init.d script and the last systemd unit file.
This patch splits the previous systemd unit file into to two files. One
which is aimed at clients (openvpn-client@.service) and one for server
configurations (openvpn-server@.service). These files will also pick
the configurations from different sub-directories. The unit file for
openvpn-client@ will use /etc/openvpn/client and the server unit file
will use /etc/openvpn/server. This also ensures that config files
are not started in the wrong manner.
The arguments given to the openvpn binary have also shifted order,
to ensure that some of them cannot be overridden by the config file,
such as --daemon and --writepid. For server configurations a
--status file is also added with the status format set to 2. This
can be overridden by the configuration file.
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1415889817-28049-1-git-send-email-openvpn.list@topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9222
Signed-off-by: Gert Doering <gert@greenie.muc.de>
