FS#46132 - [networkmanager-openvpn] add tmpfiles.d configuration file to allow chrooting

Attached to Project: Arch Linux
Opened by Mauro Santos (R00KIE) - Friday, 28 August 2015, 15:18 GMT
Last edited by Jan Alexander Steffens (heftig) - Saturday, 03 June 2023, 00:29 GMT
Task Type Feature Request
Category Packages: Extra
Status Closed
Assigned To Jan Alexander Steffens (heftig)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 4
Private No

Details

Description:
This feature request is related to  FS#46124 . Networkmanager-openvpn now uses a separate user and group to increase security, in addition to this it also tries to chroot to an empty temporary directory, which does not exist and thus a warning is issued:

(nm-openvpn-service:29276): nm-openvpn-WARNING **: Directory '/var/lib/openvpn/chroot' not usable for chroot by 'nm-openvpn', openvpn will not be chrooted.

To make this work the following configuration file for tmpfiles.d can be used:

nm-openvpn.conf:
d /var/lib/openvpn/chroot - nm-openvpn nm-openvpn -
d /var/lib/openvpn/chroot/tmp - nm-openvpn nm-openvpn -

When /var/lib/openvpn/chroot and /var/lib/openvpn/chroot/tmp exist with the correct permissions (both must be writable by nm-openvpn) the following can be found in the logs:

nm-openvpn[29367]: chroot to '/var/lib/openvpn/chroot' and cd to '/' succeeded
nm-openvpn[29367]: GID set to nm-openvpn
nm-openvpn[29367]: UID set to nm-openvpn
nm-openvpn[29367]: Initialization Sequence Completed

Additional info:
networkmanager-openvpn 1.0.6-2

Steps to reproduce:
Connect to a vpn without the proper temporary directories in place and check the logs.
Create /usr/lib/tmpfiles.d/nm-openvpn.conf with the contents previously described, run 'systemd-tmpfiles --create /usr/lib/tmpfiles.d/nm-openvpn.conf' as root, connect to a vpn and check the logs.
This task depends upon

Closed by  Jan Alexander Steffens (heftig)
Saturday, 03 June 2023, 00:29 GMT
Reason for closing:  Won't implement
Additional comments about closing:  Seems to be buggy.
Comment by Dave Reisner (falconindy) - Friday, 28 August 2015, 15:43 GMT
Seems to me like this should just be something in the post_upgrade... What's the point of using tmpfiles to create directories which aren't on volatile storage?
Comment by Mauro Santos (R00KIE) - Friday, 28 August 2015, 15:53 GMT
That would also work, what matters is that the directories exist so networkmanager-openvpn can chroot.

I suppose that those directories could also be owned by the package and be tracked by pacman instead of being untracked if created in the post_upgrade or post_install.
Comment by Dave Reisner (falconindy) - Friday, 28 August 2015, 16:00 GMT
> be tracked by pacman instead of being untracked if created in the post_upgrade or post_install.
Yes, that would be even better...
Comment by Jan Alexander Steffens (heftig) - Saturday, 29 August 2015, 15:19 GMT
I could use tmpfiles and patch the directory to something like /run/NetworkManager/openvpn-chroot .
Comment by tranqil (tranqil) - Friday, 11 December 2015, 09:54 GMT
As an workaround it might be an option to make the chroot path changeable in the configuration file?
Comment by Eli Schwartz (eschwartz) - Tuesday, 15 August 2017, 15:47 GMT
What is the status of this?

Also as a rule the install script should probably be replaced by sysusers.d
If the chroot directory needs to be owned by the nm-openvpn user, tmpfiles.d has precedence as something to use in preference to another hardcoded UID/GID. ;)
Comment by mattia (nTia89) - Saturday, 19 March 2022, 11:18 GMT
No response in years. Can we close it?
Comment by Toolybird (Toolybird) - Friday, 02 June 2023, 22:50 GMT
> No response in years. Can we close it?

I don't use it, but AFAICT the issue still exists. The PM always has the option to close as "Won't implement"...
Comment by Jan Alexander Steffens (heftig) - Saturday, 03 June 2023, 00:29 GMT
Doesn't look like other distribution are using it. Debian also ran into problems and removed the feature again:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820554

https://salsa.debian.org/utopia-team/network-manager-openvpn/-/commit/4d3c6694cd8bff884c00dad968dd8709d71f6e6f

Loading...