zarb-ml/mageia-dev/2012-November/020275.html


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
 <HEAD>
   <TITLE> [Mageia-dev] OpenVPN missing PID dir
   </TITLE>
   <LINK REL="Index" HREF="index.html" >
   <LINK REL="made" HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20OpenVPN%20missing%20PID%20dir&In-Reply-To=%3C50B2DBC5.8050104%40LinuxCabal.org%3E">
   <META NAME="robots" CONTENT="index,nofollow">
   <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
   <LINK REL="Previous"  HREF="020274.html">
   <LINK REL="Next"  HREF="020287.html">
 </HEAD>
 <BODY BGCOLOR="#ffffff">
   <H1>[Mageia-dev] OpenVPN missing PID dir</H1>
    <B>Richard Couture</B> 
    <A HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20OpenVPN%20missing%20PID%20dir&In-Reply-To=%3C50B2DBC5.8050104%40LinuxCabal.org%3E"
       TITLE="[Mageia-dev] OpenVPN missing PID dir">rrc at LinuxCabal.org
       </A><BR>
    <I>Mon Nov 26 04:02:29 CET 2012</I>
    <P><UL>
        <LI>Previous message: <A HREF="020274.html">[Mageia-dev] OpenVPN missing PID dir
</A></li>
        <LI>Next message: <A HREF="020287.html">[Mageia-dev] OpenVPN + auth-user-pass + systemd password agents (was: Re: OpenVPN missing PID dir)
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#20275">[ date ]</a>
              <a href="thread.html#20275">[ thread ]</a>
              <a href="subject.html#20275">[ subject ]</a>
              <a href="author.html#20275">[ author ]</a>
         </LI>
       </UL>
    <HR>  
<!--beginarticle-->
<PRE>I didn't mean to open a can of worms, but since it's open ...

with script-security 2 added to the client.conf, openvpn starts just 
fine with the command   systemctl restart <A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">openvpn at client.service</A>  UNTIL 
you add the parameter  auth-user-pass to the client.conf
Once that param is added, openvpn refuses to start via systemD though it 
starts just fine via sys5
[<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">root at pwyr</A> openvpn]# cd /etc/init.d/
[<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">root at pwyr</A> init.d]# ./openvpn restart
Shutting down openvpn:                                     [  OK  ]
Starting openvpn: Enter Auth Username:rrc
Enter Auth Password:
                                                            [  OK  ]
Since were looking at openvpn, hopefully we can figure out what this is 
all about as this param is EXTREMELY important to harden the security of 
openvpn

Thanks


Richard


On 11/25/2012 06:18 PM, Colin Guthrie wrote:
&gt;<i> 'Twas brillig, and Olivier Blin at 25/11/12 23:31 did gyre and gimble:
</I>&gt;&gt;<i> Colin Guthrie&lt;<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">mageia at colin.guthr.ie</A>&gt;  writes:
</I>&gt;&gt;<i>
</I>&gt;&gt;&gt;<i> 'Twas brillig, and Olivier Blin at 25/11/12 15:19 did gyre and gimble:
</I>&gt;&gt;&gt;&gt;<i> Colin Guthrie&lt;<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">mageia at colin.guthr.ie</A>&gt;  writes:
</I>&gt;&gt;&gt;&gt;<i>
</I>&gt;&gt;&gt;&gt;&gt;<i> 1. &quot;systemd-tmpfiles --create&quot; is not run in the %post (before
</I>&gt;&gt;&gt;&gt;&gt;<i> add-service helper) (note that on cauldron the command must be:
</I>&gt;&gt;&gt;&gt;&gt;<i> &quot;systemd-tmpfiles --create openvpn.conf&quot;). This means that you'll need a
</I>&gt;&gt;&gt;&gt;&gt;<i> reboot before openvpn will work on mga2 after installing it.
</I>&gt;&gt;&gt;&gt;<i>
</I>&gt;&gt;&gt;&gt;<i> Hi,
</I>&gt;&gt;&gt;&gt;<i>
</I>&gt;&gt;&gt;&gt;<i> Shouldn't this be done through a rpm filetrigger?
</I>&gt;&gt;&gt;<i>
</I>&gt;&gt;&gt;<i> I don't think there is a way to specify which files triggered the file
</I>&gt;&gt;&gt;<i> trigger is there?
</I>&gt;&gt;&gt;<i>
</I>&gt;&gt;&gt;<i> Basically we'd need to know the basename of the file that changed, also
</I>&gt;&gt;&gt;<i> there are times when it has to be excluded (e.g. some files should not
</I>&gt;&gt;&gt;<i> be run except at boot).
</I>&gt;&gt;<i>
</I>
&gt;&gt;<i> Looks like this list is available to the script from stdin, see
</I>&gt;&gt;<i> /var/lib/rpm/filetriggers/httpd.script or
</I>&gt;&gt;<i> /var/lib/rpm/filetriggers/pear.script
</I>&gt;<i>
</I>&gt;<i> OK good to know.
</I>&gt;<i>
</I>&gt;<i> Sadly the ordering is still wrong as this needs to be run after %pre but
</I>&gt;<i> before any calls to %_post_service (i.e. in %post).
</I>&gt;<i>
</I>&gt;<i> As a result I don't think it's really possible to automate this. It
</I>&gt;<i> could be added to a filetrigger for &quot;safety&quot; and baked into
</I>&gt;<i> %_post_service but it still doesn't cover several corner cases, and I
</I>&gt;<i> don't think it's really worth the bother personally.
</I>&gt;<i>
</I>&gt;<i> Col
</I>&gt;<i>
</I>&gt;<i>
</I>
-- 
LinuxCabal Asociaci&#243;n Civil
Ing. Richard Couture
Novell CNE, ECNE, MCNE
HP/Compaq ASE
Tel.: (+52) (333) 145-2638
Cel.: (+52) (044) 333 377-7505
Cel.: (+52) (044) 333 377-7506
Web: <A HREF="http://www.LinuxCabal.org">http://www.LinuxCabal.org</A>
E-Mail: <A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">rrc at linuxcabal.org</A>
Hosted en la nube Cloud Sigma - www.CloudSigma.com

AVISO DE CONFIDENCIALIDAD: Este correo electr&#243;nico, incluyendo en su 
caso, los archivos adjuntos al mismo, pueden contener informaci&#243;n de 
car&#225;cter confidencial y/o privilegiada, y se env&#237;an a la atenci&#243;n &#250;nica 
y exclusivamente de la persona y/o entidad a quien va dirigido. La 
copia, revisi&#243;n, uso, revelaci&#243;n y/o distribuci&#243;n de dicha informaci&#243;n 
confidencial sin la autorizaci&#243;n por escrito de LinuxCabal est&#225; 
prohibida. Si usted no es el destinatario a quien se dirige el presente 
correo, favor de contactar al remitente respondiendo al presente correo 
y eliminar el correo original incluyendo sus archivos, as&#237; como 
cualesquiera copia del mismo. Mediante la recepci&#243;n del presente correo 
usted reconoce y acepta que en caso de incumplimiento de su parte y/o de 
sus representantes a los t&#233;rminos antes mencionados, LinuxCabal tendr&#225; 
derecho a los da&#241;os y perjuicios que esto le cause.

</PRE>


<!--endarticle-->
    <HR>
    <P><UL>
        <!--threads-->
	<LI>Previous message: <A HREF="020274.html">[Mageia-dev] OpenVPN missing PID dir
</A></li>
	<LI>Next message: <A HREF="020287.html">[Mageia-dev] OpenVPN + auth-user-pass + systemd password agents (was: Re: OpenVPN missing PID dir)
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#20275">[ date ]</a>
              <a href="thread.html#20275">[ thread ]</a>
              <a href="subject.html#20275">[ subject ]</a>
              <a href="author.html#20275">[ author ]</a>
         </LI>
       </UL>

<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-dev">More information about the Mageia-dev
mailing list</a><br>
</body></html>