From nobody Mon Nov 1 12:04:45 2021 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 22BA21812E40; Mon, 1 Nov 2021 12:04:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HjWtQ0S0vz3MqD; Mon, 1 Nov 2021 12:04:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id E392A11514; Mon, 1 Nov 2021 12:04:45 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 1A1C4j2n012680; Mon, 1 Nov 2021 12:04:45 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 1A1C4j0R012679; Mon, 1 Nov 2021 12:04:45 GMT (envelope-from git) Date: Mon, 1 Nov 2021 12:04:45 GMT Message-Id: <202111011204.1A1C4j0R012679@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Matthias Andree Subject: git: bb6ec079c50d - main - security/openvpn: create and use dedicated openvpn user List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: mandree X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: bb6ec079c50dc6f45700dd5897b35f66a19ee51c Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by mandree: URL: https://cgit.FreeBSD.org/ports/commit/?id=bb6ec079c50dc6f45700dd5897b35f66a19ee51c commit bb6ec079c50dc6f45700dd5897b35f66a19ee51c Author: Matthias Andree AuthorDate: 2021-10-31 17:37:47 +0000 Commit: Matthias Andree CommitDate: 2021-11-01 12:04:24 +0000 security/openvpn: create and use dedicated openvpn user PR: 259384 --- GIDs | 2 +- UIDs | 2 +- security/openvpn/Makefile | 12 +++++++- .../patch-doc_man-sections_generic-options.rst | 11 ++++++++ security/openvpn/files/patch-doc_openvpn.8 | 20 +++++++++++++ security/openvpn/files/patch-doc_openvpn.8.html | 20 +++++++++++++ security/openvpn/files/pkg-message.in | 33 ++++++++++++++++------ 7 files changed, 89 insertions(+), 11 deletions(-) diff --git a/GIDs b/GIDs index 4cb40984b169..035879071152 100644 --- a/GIDs +++ b/GIDs @@ -240,7 +240,7 @@ conduit:*:297: neolink:*:298: owncast:*:299: backuppc:*:300: -# free: 301 +openvpn:*:301: netdata:*:302: # free: 303 # free: 304 diff --git a/UIDs b/UIDs index 4adfd141d0bc..45cbeeddddff 100644 --- a/UIDs +++ b/UIDs @@ -245,7 +245,7 @@ conduit:*:297:297::0:0:Conduit daemon:/var/db/conduit:/usr/sbin/nologin neolink:*:298:298::0:0:& daemon:/nonexistent:/usr/sbin/nologin owncast:*:299:299::0:0:& daemon:/nonexistent:/usr/sbin/nologin backuppc:*:300:300::0:0:BackupPC pseudo-user:/nonexistent:/usr/sbin/nologin -# free: 301 +openvpn:*:301:301::0:0:OpenVPN pseudo-user:/nonexistent:/usr/sbin/nologin netdata:*:302:302::0:0:NetData Daemon:/var/cache/netdata:/usr/sbin/nologin # free: 303 # free: 304 diff --git a/security/openvpn/Makefile b/security/openvpn/Makefile index 686f62e010d1..8c4bdcae27ac 100644 --- a/security/openvpn/Makefile +++ b/security/openvpn/Makefile @@ -2,7 +2,7 @@ PORTNAME= openvpn DISTVERSION= 2.5.4 -PORTREVISION?= 0 +PORTREVISION?= 1 CATEGORIES= security net net-vpn MASTER_SITES= https://swupdate.openvpn.org/community/releases/ \ https://build.openvpn.net/downloads/releases/ \ @@ -21,6 +21,9 @@ SHEBANG_FILES= sample/sample-scripts/verify-cn \ sample/sample-scripts/auth-pam.pl \ sample/sample-scripts/ucn.pl +USERS= openvpn +GROUPS= openvpn + GNU_CONFIGURE= yes CONFIGURE_ARGS+= --enable-strict # set PLUGIN_LIBDIR so that unqualified plugin paths are found: @@ -119,6 +122,13 @@ pre-configure: @${ECHO} "### --------------------------------------------------------- ###" .endif +post-patch: + ${REINPLACE_CMD} -E -i '' -e 's/(user|group) nobody/\1 openvpn/' \ + -e 's/"nobody"( after init)/"openvpn" \1/' \ + ${WRKSRC}/sample/sample-config-files/*.conf \ + ${WRKSRC}/sample/sample-config-files/xinetd-*-config \ + ${WRKSRC}/doc/man-sections/generic-options.rst + post-configure: ${REINPLACE_CMD} '/^CFLAGS =/s/$$/ -fPIC/' \ ${WRKSRC}/src/plugins/auth-pam/Makefile \ diff --git a/security/openvpn/files/patch-doc_man-sections_generic-options.rst b/security/openvpn/files/patch-doc_man-sections_generic-options.rst new file mode 100644 index 000000000000..a6fecf86a6fd --- /dev/null +++ b/security/openvpn/files/patch-doc_man-sections_generic-options.rst @@ -0,0 +1,11 @@ +--- doc/man-sections/generic-options.rst.orig 2021-10-31 16:17:17 UTC ++++ doc/man-sections/generic-options.rst +@@ -431,7 +431,7 @@ which mode OpenVPN is configured as. + able to gain control of an OpenVPN session. Though OpenVPN's security + features make this unlikely, it is provided as a second line of defense. + +- By setting ``user`` to :code:`nobody` or somebody similarly unprivileged, ++ By setting ``user`` to :code:`openvpn` or somebody similarly unprivileged, + the hostile party would be limited in what damage they could cause. Of + course once you take away privileges, you cannot return them to an + OpenVPN session. This means, for example, that if you want to reset an diff --git a/security/openvpn/files/patch-doc_openvpn.8 b/security/openvpn/files/patch-doc_openvpn.8 new file mode 100644 index 000000000000..a536dae76755 --- /dev/null +++ b/security/openvpn/files/patch-doc_openvpn.8 @@ -0,0 +1,20 @@ +--- doc/openvpn.8.orig 2021-10-05 05:57:01 UTC ++++ doc/openvpn.8 +@@ -358,7 +358,7 @@ lower priority, \fBn\fP less than zero is higher prior + .B \-\-persist\-key + Don\(aqt re\-read key files across \fBSIGUSR1\fP or \fB\-\-ping\-restart\fP\&. + .sp +-This option can be combined with \fB\-\-user nobody\fP to allow restarts ++This option can be combined with \fB\-\-user openvpn\fP to allow restarts + triggered by the \fBSIGUSR1\fP signal. Normally if you drop root + privileges in OpenVPN, the daemon cannot be restarted since it will now + be unable to re\-read protected key files. +@@ -577,7 +577,7 @@ useful to protect the system in the event that some ho + able to gain control of an OpenVPN session. Though OpenVPN\(aqs security + features make this unlikely, it is provided as a second line of defense. + .sp +-By setting \fBuser\fP to \fBnobody\fP or somebody similarly unprivileged, ++By setting \fBuser\fP to \fBopenvpn\fP or somebody similarly unprivileged, + the hostile party would be limited in what damage they could cause. Of + course once you take away privileges, you cannot return them to an + OpenVPN session. This means, for example, that if you want to reset an diff --git a/security/openvpn/files/patch-doc_openvpn.8.html b/security/openvpn/files/patch-doc_openvpn.8.html new file mode 100644 index 000000000000..5b1e8e805e13 --- /dev/null +++ b/security/openvpn/files/patch-doc_openvpn.8.html @@ -0,0 +1,20 @@ +--- doc/openvpn.8.html.orig 2021-10-05 05:57:01 UTC ++++ doc/openvpn.8.html +@@ -650,7 +650,7 @@ lower priority, n le + + --persist-key +

Don't re-read key files across SIGUSR1 or --ping-restart.

+-

This option can be combined with --user nobody to allow restarts ++

This option can be combined with --user openvpn to allow restarts + triggered by the SIGUSR1 signal. Normally if you drop root + privileges in OpenVPN, the daemon cannot be restarted since it will now + be unable to re-read protected key files.

+@@ -824,7 +824,7 @@ initialization, dropping privileges in the process. Th + useful to protect the system in the event that some hostile party was + able to gain control of an OpenVPN session. Though OpenVPN's security + features make this unlikely, it is provided as a second line of defense.

+-

By setting user to nobody or somebody similarly unprivileged, ++

By setting user to openvpn or somebody similarly unprivileged, + the hostile party would be limited in what damage they could cause. Of + course once you take away privileges, you cannot return them to an + OpenVPN session. This means, for example, that if you want to reset an diff --git a/security/openvpn/files/pkg-message.in b/security/openvpn/files/pkg-message.in index 29d37b360f3c..c527aec28683 100644 --- a/security/openvpn/files/pkg-message.in +++ b/security/openvpn/files/pkg-message.in @@ -1,17 +1,34 @@ [ { type: install message: <.ovpn +Connect to VPN server as a client with this command to include +the client.up/down scripts in the initialization: +openvpn-client .ovpn - For compatibility notes when interoperating with older OpenVPN - versions, please see +For compatibility notes when interoperating with older OpenVPN +versions, please see - Note that OpenVPN does not officially support LibreSSL. +Note that OpenVPN does not officially support LibreSSL. + +Note that OpenVPN configures a separate user and group "openvpn", +which should be used instead of the NFS user "nobody" +when an unprivileged user account is desired. + +You may want to add user openvpn and group openvpn when creating your +configuration files, the example configuration shows this only as comments. +EOM +} +{ type: upgrade + message: <