[Mageia-dev] OpenVPN missing PID dir

Mon Nov 26 04:02:29 CET 2012

I didn't mean to open a can of worms, but since it's open ...
+
+with script-security 2 added to the client.conf, openvpn starts just 
+fine with the command   systemctl restart openvpn at client.service  UNTIL 
+you add the parameter  auth-user-pass to the client.conf
+Once that param is added, openvpn refuses to start via systemD though it 
+starts just fine via sys5
+[root at pwyr openvpn]# cd /etc/init.d/
+[root at pwyr init.d]# ./openvpn restart
+Shutting down openvpn:                                     [  OK  ]
+Starting openvpn: Enter Auth Username:rrc
+Enter Auth Password:
+                                                            [  OK  ]
+Since were looking at openvpn, hopefully we can figure out what this is 
+all about as this param is EXTREMELY important to harden the security of 
+openvpn
+
+Thanks
+
+
+
+
+Richard
+
+
+
+On 11/25/2012 06:18 PM, Colin Guthrie wrote:
+> 'Twas brillig, and Olivier Blin at 25/11/12 23:31 did gyre and gimble:
+>> Colin Guthrie<mageia at colin.guthr.ie>  writes:
+>>
+>>> 'Twas brillig, and Olivier Blin at 25/11/12 15:19 did gyre and gimble:
+>>>> Colin Guthrie<mageia at colin.guthr.ie>  writes:
+>>>>
+>>>>> 1. "systemd-tmpfiles --create" is not run in the %post (before
+>>>>> add-service helper) (note that on cauldron the command must be:
+>>>>> "systemd-tmpfiles --create openvpn.conf"). This means that you'll need a
+>>>>> reboot before openvpn will work on mga2 after installing it.
+>>>>
+>>>> Hi,
+>>>>
+>>>> Shouldn't this be done through a rpm filetrigger?
+>>>
+>>> I don't think there is a way to specify which files triggered the file
+>>> trigger is there?
+>>>
+>>> Basically we'd need to know the basename of the file that changed, also
+>>> there are times when it has to be excluded (e.g. some files should not
+>>> be run except at boot).
+>>
+
+>> Looks like this list is available to the script from stdin, see
+>> /var/lib/rpm/filetriggers/httpd.script or
+>> /var/lib/rpm/filetriggers/pear.script
+>
+> OK good to know.
+>
+> Sadly the ordering is still wrong as this needs to be run after %pre but
+> before any calls to %_post_service (i.e. in %post).
+>
+> As a result I don't think it's really possible to automate this. It
+> could be added to a filetrigger for "safety" and baked into
+> %_post_service but it still doesn't cover several corner cases, and I
+> don't think it's really worth the bother personally.
+>
+> Col
+>
+>
+
+-- 
+LinuxCabal Asociación Civil
+Ing. Richard Couture
+Novell CNE, ECNE, MCNE
+HP/Compaq ASE
+Tel.: (+52) (333) 145-2638
+Cel.: (+52) (044) 333 377-7505
+Cel.: (+52) (044) 333 377-7506
+Web: http://www.LinuxCabal.org
+E-Mail: rrc at linuxcabal.org
+Hosted en la nube Cloud Sigma - www.CloudSigma.com
+
+AVISO DE CONFIDENCIALIDAD: Este correo electrónico, incluyendo en su 
+caso, los archivos adjuntos al mismo, pueden contener información de 
+carácter confidencial y/o privilegiada, y se envían a la atención única 
+y exclusivamente de la persona y/o entidad a quien va dirigido. La 
+copia, revisión, uso, revelación y/o distribución de dicha información 
+confidencial sin la autorización por escrito de LinuxCabal está 
+prohibida. Si usted no es el destinatario a quien se dirige el presente 
+correo, favor de contactar al remitente respondiendo al presente correo 
+y eliminar el correo original incluyendo sus archivos, así como 
+cualesquiera copia del mismo. Mediante la recepción del presente correo 
+usted reconoce y acepta que en caso de incumplimiento de su parte y/o de 
+sus representantes a los términos antes mencionados, LinuxCabal tendrá 
+derecho a los daños y perjuicios que esto le cause.
+
+