Browse code

systemd: extend CapabilityBoundingSet for auth_pam

Auth_pam will require audit writes or the connection will be rejected
as the plugin fails to initialize like:
openvpn[1111]: sudo: unable to send audit message
openvpn[1111]: sudo: pam_open_session: System error
openvpn[1111]: sudo: policy plugin failed session initialization

See links from https://community.openvpn.net/openvpn/ticket/918 for
more.

auth_pam is a common use case and capabilties for it should be allowed
by the .service file.

Fixes: #918

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20180829142715.417-2-christian.ehrhardt@canonical.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17432.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

Christian Ehrhardt authored on 2018/08/29 23:27:14
Showing 1 changed files
... ...
@@ -11,7 +11,7 @@ Type=notify
11 11
 PrivateTmp=true
12 12
 WorkingDirectory=/etc/openvpn/server
13 13
 ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf
14
-CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
14
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
15 15
 LimitNPROC=10
16 16
 DeviceAllow=/dev/null rw
17 17
 DeviceAllow=/dev/net/tun rw