Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
systemd: Improve the systemd unit files
There are several changes which allows systemd to take care of several aspects of hardening the execution of OpenVPN. - Let systemd take care of the process tracking directly, instead of doing that via PID files - Make systemd prepare proper runtime directories for the OpenVPN process. - Let systemd do the chdir() before starting OpenVPN. This allows us to avoid using the --cd option when executing openvpn. - CAP_DAC_OVERRIDE was needed when using --chroot. Otherwise the root user would not be allowed to access files/directories not owned by root. This will change in the future, when we find better ways to avoid calling chroot() in OpenVPN and rather let systemd prepare a more isolated namespace. - Client configurations are now started with --nobind and the OpenVPN client process have lost the CAP_NET_BIND_SERVICE capability which allows binding to port < 1024. - Documentation URL now points at the OpenVPN 2.4 man page URL The majority of these changes have been proposed by Elias Probst (eliasp) in the GitHub PR OpenVPN#22. v3 - Add ExecPreStart= to check if OpenVPN configuration contains 'daemon'. That can break the process tracking as we now use Type=simple (default) v2 - Change RuntimeDirectory= to a profile specific (client, server) directory to avoid clashing with older distro unit files Commit note: As this is not a critical security change, we apply this without any formal ACKs. It has been thoroghly tested by several users. See mailing list for details. Contribution-by: Elias Probst <[email protected]> Signed-off-by: David Sommerseth <[email protected]> Message-Id: <[email protected]> URL: http://www.mail-archive.com/[email protected]/msg13039.html
- Loading branch information
