You are not logged in.

#1 2020-11-18 14:29:35

Landaro
Member
Registered: 2020-04-22
Posts: 5

OpenVPN update broken permissions for auth-user-pass credential file

Hello,

on my system I have two OpenVPN connections that (should) automatically connect at startup. Both connections are minimally invasive and only install additional routes in my routing table to make certain 10.X.Y.Z networks reachable. As such, both connections can be active simultaneously without problems. The configs for both connections reside in /etc/openvpn/client, namely innovo-jk-ma.conf (A) and mac-openstack.jonaskaiser.conf (B), and the auto-connect is realised via the shipped systemd-units where both the following are enabled:

  • openvpn-client@innovo-jk-ma.service

  • openvpn-client@mac-openstack.jonaskaiser.service

Everything was working fine until a recent OpenVPN update where one of the two services started to consistently fail (A), while the other (B) continued to work flawlessly. The update in question was

2.5.0-1 -> 2.5.0-3

From what I have figured out so far, the version that introduced the problem is 2.5.0-2, where an unprivileged user openvpn.openvpn was introduced. To determine, why one of the connections was failing while the other continues to work I had a look at the differences between the configs and also inspected the error logs of the failed connection.

Here is what I think is causing the problem. The failing connection (A) needs a username and password, while the functional one (B) does not. To provide these credentials, the config file for (A) contains the following entry:

...
auth-user-pass /etc/openvpn/client/innovo-jk-ma.cred
...

From the logs of the failed systemd unit, this matching error most likely indicates the root problem (the warning likely stems from my attempts to fix the problem, i.e. I began to adjust file ownerships and permissions to fix the error)

...
Nov 18 09:26:41 orchid openvpn[569]: WARNING: file '/etc/openvpn/client/innovo-jk-ma.cred' is group or others accessible
Nov 18 09:26:41 orchid openvpn[569]: Options error: --auth-user-pass fails with '/etc/openvpn/client/innovo-jk-ma.cred': Permission denied (errno=13)
...

That is, it looks like the user under which the systemd unit is operating when it tries to create the connection (my current understanding is that this is now the openvpn.openvpn user, but maybe I ma wrong?) does not have sufficient permissions to read the credential file. Note that the connection (A) launches perfectly fine when I actively run the openvpn command as root with the given configuration, which further strengthens my belief that something is wrong with the ownership/permissions of the credentials file.

So here is the question: What is the correct ownership/group/permission setup for the configs and credential files in /etc/openvpn/client to make the systemd units work when the configs rely on the auth-user-pass option? For reference, this is what  my client config directory looks like after some initial (unsuccessful) attempts to solve this:

[root@orchid client]# pwd
/etc/openvpn/client
[root@orchid client]# ls -la
total 40
drwxr-x--- 2 openvpn network  4096 Nov 18 09:24 .
drwxr-xr-x 4 root    root     4096 Nov  9 10:12 ..
-rw-r----- 1 root    openvpn 11922 Nov 12 13:35 innovo-jk-ma.conf
-r--r----- 1 root    openvpn    24 Feb 20  2019 innovo-jk-ma.cred
-rw-r----- 1 root    openvpn 13575 Dec 19  2019 mac-openstack.jonaskaiser.conf

Edit: I only played around with the ownership/permsissions of the shown conf and cred files, the directory structure above (i.e. the client directory and its parents are system standard and not manually adjusted) ...

Last edited by Landaro (2020-11-18 14:33:01)

Offline

#2 2020-11-21 19:06:16

neutronst4r
Member
Registered: 2016-02-25
Posts: 30

Re: OpenVPN update broken permissions for auth-user-pass credential file

my current understanding is that this is now the openvpn.openvpn user, but maybe I ma wrong?

No, if you look at the system service file, that is exactly what is happening:

[Unit]
Description=OpenVPN tunnel for %I
After=syslog.target network-online.target
Wants=network-online.target
Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO

[Service]
Type=notify
PrivateTmp=true
WorkingDirectory=/etc/openvpn/client
ExecStart=/usr/bin/openvpn --suppress-timestamps --nobind --config %i.conf
User=openvpn
Group=network
AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
ProtectSystem=true
ProtectHome=true
KillMode=process

[Install]
WantedBy=multi-user.target

I have the same problem, with my service files, rewriting the service file to use root again, fixes it, but whether or not that is the correct way to do it, I don't know. You can make a copy of that file from "/usr/lib/systemd/system/openvpn-client@.service" and shove it into "/etc/systemd/system" to overwrite it and edit it. That way it won't get overwritten in the next pacman update.

EDIT:
Changing the Ownership of /etc/openvpn seems to fix it for me. Check out this helpful link.

# chown -R openvpn:openvpn /etc/openvpn

Last edited by neutronst4r (2020-11-21 20:58:19)


makepkg not war

Offline

#3 2020-11-23 19:35:14

Landaro
Member
Registered: 2020-04-22
Posts: 5

Re: OpenVPN update broken permissions for auth-user-pass credential file

Thanks for the input. The recursive ownership change fixed the problem for me as well. Are those the ownership values that would be assigned to the directory on a fresh install? I noticed that the update did change some of the ownership parameters, but it apparently missed some bits and pieces. Where would I go to help improve the package in this regard (or at least further discuss the situation)?

Thanks again for your support :-)

This topic can be considered resolved ... not sure if I should do something myself, or whether a board moderator handles this ...

Last edited by Landaro (2020-11-23 19:36:15)

Offline

Board footer

Powered by FluxBB