systemd: Improve the systemd unit files
There are several changes which allows systemd to take care of several
aspects of hardening the execution of OpenVPN.
- Let systemd take care of the process tracking directly, instead
of doing that via PID files
- Make systemd prepare proper runtime directories for the OpenVPN
process.
- Let systemd do the chdir() before starting OpenVPN. This allows
us to avoid using the --cd option when executing openvpn.
- CAP_DAC_OVERRIDE was needed when using --chroot. Otherwise
the root user would not be allowed to access files/directories
not owned by root. This will change in the future, when we
find better ways to avoid calling chroot() in OpenVPN and
rather let systemd prepare a more isolated namespace.
- Client configurations are now started with --nobind and
the OpenVPN client process have lost the CAP_NET_BIND_SERVICE
capability which allows binding to port < 1024.
- Documentation URL now points at the OpenVPN 2.4 man page URL
The majority of these changes have been proposed by Elias Probst
(eliasp) in the GitHub PR #22.
v3 - Add ExecPreStart= to check if OpenVPN configuration contains
'daemon'. That can break the process tracking as we now use
Type=simple (default)
v2 - Change RuntimeDirectory= to a profile specific (client, server)
directory to avoid clashing with older distro unit files
Commit note: As this is not a critical security change, we apply this
without any formal ACKs. It has been thoroghly tested by
several users. See mailing list for details.
Contribution-by: Elias Probst <mail@eliasprobst.eu>
Signed-off-by: David Sommerseth <davids@openvpn.net>
Message-Id: <
1479122408-6867-1-git-send-email-davids@openvpn.net>
URL: http://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13039.html
projects / thirdparty / openvpn.git / commit
