From 7cc372c7f6b4dcc20533433a20dfd5a95f117146 Mon Sep 17 00:00:00 2001 From: Christian Ehrhardt Date: Wed, 29 Aug 2018 16:27:14 +0200 Subject: [PATCH] systemd: extend CapabilityBoundingSet for auth_pam Auth_pam will require audit writes or the connection will be rejected as the plugin fails to initialize like: openvpn[1111]: sudo: unable to send audit message openvpn[1111]: sudo: pam_open_session: System error openvpn[1111]: sudo: policy plugin failed session initialization See links from https://community.openvpn.net/openvpn/ticket/918 for more. auth_pam is a common use case and capabilties for it should be allowed by the .service file. Fixes: #918 Signed-off-by: Christian Ehrhardt Acked-by: David Sommerseth Message-Id: <20180829142715.417-2-christian.ehrhardt@canonical.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17432.html Signed-off-by: Gert Doering (cherry picked from commit a564781cfd9912d0f755394d1fa610706d93e707) --- distro/systemd/openvpn-server@.service.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/distro/systemd/openvpn-server@.service.in b/distro/systemd/openvpn-server@.service.in index a8366a04d..d1cc72cbd 100644 --- a/distro/systemd/openvpn-server@.service.in +++ b/distro/systemd/openvpn-server@.service.in @@ -11,7 +11,7 @@ Type=notify PrivateTmp=true WorkingDirectory=/etc/openvpn/server ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE LimitNPROC=10 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw -- 2.47.2