mirror of
https://github.com/OpenVPN/openvpn.git
synced 2024-09-19 19:42:30 +02:00
8b42c19762
There are several changes which allows systemd to take care of several aspects of hardening the execution of OpenVPN. - Let systemd take care of the process tracking directly, instead of doing that via PID files - Make systemd prepare proper runtime directories for the OpenVPN process. - Let systemd do the chdir() before starting OpenVPN. This allows us to avoid using the --cd option when executing openvpn. - CAP_DAC_OVERRIDE was needed when using --chroot. Otherwise the root user would not be allowed to access files/directories not owned by root. This will change in the future, when we find better ways to avoid calling chroot() in OpenVPN and rather let systemd prepare a more isolated namespace. - Client configurations are now started with --nobind and the OpenVPN client process have lost the CAP_NET_BIND_SERVICE capability which allows binding to port < 1024. - Documentation URL now points at the OpenVPN 2.4 man page URL The majority of these changes have been proposed by Elias Probst (eliasp) in the GitHub PR #22. v3 - Add ExecPreStart= to check if OpenVPN configuration contains 'daemon'. That can break the process tracking as we now use Type=simple (default) v2 - Change RuntimeDirectory= to a profile specific (client, server) directory to avoid clashing with older distro unit files Commit note: As this is not a critical security change, we apply this without any formal ACKs. It has been thoroghly tested by several users. See mailing list for details. Contribution-by: Elias Probst <mail@eliasprobst.eu> Signed-off-by: David Sommerseth <davids@openvpn.net> Message-Id: <1479122408-6867-1-git-send-email-davids@openvpn.net> URL: http://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13039.html |
||
---|---|---|
.. | ||
rpm | ||
systemd | ||
Makefile.am |