diff options
author | s3rj1k | 2021-02-15 18:29:51 +0200 |
---|---|---|
committer | s3rj1k | 2021-02-15 18:45:01 +0200 |
commit | 316aecbbdad7d13a9c5f13b8ebdb6dbf1f075dc4 (patch) | |
tree | aacc60cb5fc7fff8d3d2cba632b67ccb75ac02c6 | |
download | aur-316aecbbdad7d13a9c5f13b8ebdb6dbf1f075dc4.tar.gz |
initial commit
Signed-off-by: s3rj1k <evasive.gyron@gmail.com>
-rw-r--r-- | .SRCINFO | 35 | ||||
-rw-r--r-- | 0001-unprivileged.patch | 28 | ||||
-rw-r--r-- | PKGBUILD | 92 | ||||
-rw-r--r-- | openvpn.install | 12 | ||||
-rw-r--r-- | sysusers.conf | 1 | ||||
-rw-r--r-- | tmpfiles.conf | 4 |
6 files changed, 172 insertions, 0 deletions
diff --git a/.SRCINFO b/.SRCINFO new file mode 100644 index 000000000000..f4a4d06f0196 --- /dev/null +++ b/.SRCINFO @@ -0,0 +1,35 @@ +pkgbase = openvpn-password-save + pkgdesc = An easy-to-use, robust and highly configurable VPN (Virtual Private Network) + pkgver = 2.5.0 + pkgrel = 1 + url = https://openvpn.net/index.php/open-source.html + install = openvpn.install + arch = x86_64 + license = custom + makedepends = git + makedepends = systemd + makedepends = python-docutils + depends = openssl + depends = lzo + depends = lz4 + depends = systemd-libs + depends = libsystemd.so + depends = pkcs11-helper + depends = libpkcs11-helper.so + optdepends = easy-rsa: easy CA and certificate handling + optdepends = pam: authenticate via PAM + provides = openvpn + conflicts = openvpn + source = git+https://github.com/OpenVPN/openvpn.git#tag=v2.5.0?signed + source = 0001-unprivileged.patch + source = sysusers.conf + source = tmpfiles.conf + validpgpkeys = F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7 + validpgpkeys = B62E6A2B4E56570B7BDC6BE01D829EFECA562812 + sha256sums = SKIP + sha256sums = 8e7d292514f30729bc37d6681789b1bfdf87a992a3aa77e2a28b8da9cd8d4bfe + sha256sums = 3646b865ac67783fafc6652589cfe2a3105ecef06f3907f33de5135815f6a621 + sha256sums = b1436f953a4f1be7083711d11928a9924993f940ff56ff92d288d6100df673fc + +pkgname = openvpn-password-save + diff --git a/0001-unprivileged.patch b/0001-unprivileged.patch new file mode 100644 index 000000000000..b33de3461cb1 --- /dev/null +++ b/0001-unprivileged.patch @@ -0,0 +1,28 @@ +diff --git a/distro/systemd/openvpn-client@.service.in b/distro/systemd/openvpn-client@.service.in +index cbcef653..71aa1335 100644 +--- a/distro/systemd/openvpn-client@.service.in ++++ b/distro/systemd/openvpn-client@.service.in +@@ -11,6 +11,9 @@ Type=notify + PrivateTmp=true + WorkingDirectory=/etc/openvpn/client + ExecStart=@sbindir@/openvpn --suppress-timestamps --nobind --config %i.conf ++User=openvpn ++Group=network ++AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE + CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE + LimitNPROC=10 + DeviceAllow=/dev/null rw +diff --git a/distro/systemd/openvpn-server@.service.in b/distro/systemd/openvpn-server@.service.in +index d1cc72cb..691f369e 100644 +--- a/distro/systemd/openvpn-server@.service.in ++++ b/distro/systemd/openvpn-server@.service.in +@@ -11,6 +11,9 @@ Type=notify + PrivateTmp=true + WorkingDirectory=/etc/openvpn/server + ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf ++User=openvpn ++Group=network ++AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE + CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE + LimitNPROC=10 + DeviceAllow=/dev/null rw diff --git a/PKGBUILD b/PKGBUILD new file mode 100644 index 000000000000..fbe253779299 --- /dev/null +++ b/PKGBUILD @@ -0,0 +1,92 @@ +# Maintainer: s3rj1k <evasive.gyron@gmail.com> + +pkgname=openvpn-password-save +_pkgname=openvpn +pkgver=2.5.0 +pkgrel=1 +pkgdesc='An easy-to-use, robust and highly configurable VPN (Virtual Private Network)' +arch=('x86_64') +url='https://openvpn.net/index.php/open-source.html' +license=('custom') +depends=('openssl' 'lzo' 'lz4' 'systemd-libs' 'libsystemd.so' 'pkcs11-helper' 'libpkcs11-helper.so') +conflicts=('openvpn') +provides=('openvpn') +optdepends=('easy-rsa: easy CA and certificate handling' + 'pam: authenticate via PAM') +makedepends=('git' 'systemd' 'python-docutils') +install=openvpn.install +validpgpkeys=('F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7' # OpenVPN - Security Mailing List <security@openvpn.net> + 'B62E6A2B4E56570B7BDC6BE01D829EFECA562812') # Gert Doering <gert@v6.de> +source=("git+https://github.com/OpenVPN/openvpn.git#tag=v${pkgver}?signed" + '0001-unprivileged.patch' + 'sysusers.conf' + 'tmpfiles.conf') +sha256sums=('SKIP' + '8e7d292514f30729bc37d6681789b1bfdf87a992a3aa77e2a28b8da9cd8d4bfe' + '3646b865ac67783fafc6652589cfe2a3105ecef06f3907f33de5135815f6a621' + 'b1436f953a4f1be7083711d11928a9924993f940ff56ff92d288d6100df673fc') + +prepare() { + cd "${srcdir}"/${_pkgname} + + # https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19302.html + sed -i '/^CONFIGURE_DEFINES=/s/set/env/g' configure.ac + + # start with unprivileged user and keep granted privileges + patch -Np1 < ../0001-unprivileged.patch + + autoreconf --force --install +} + +build() { + mkdir "${srcdir}"/build + cd "${srcdir}"/build + + "${srcdir}"/openvpn/configure \ + --prefix=/usr \ + --sbindir=/usr/bin \ + --enable-iproute2 \ + --enable-pkcs11 \ + --enable-plugins \ + --enable-systemd \ + --enable-password-save \ + --enable-x509-alt-username + make +} + +check() { + cd "${srcdir}"/build + + make check +} + +package() { + cd "${srcdir}"/build + + # Install openvpn + make DESTDIR="${pkgdir}" install + + # Install sysusers and tmpfiles files + install -D -m0644 ../sysusers.conf "${pkgdir}"/usr/lib/sysusers.d/openvpn.conf + install -D -m0644 ../tmpfiles.conf "${pkgdir}"/usr/lib/tmpfiles.d/openvpn.conf + + # Install license + install -d -m0755 "${pkgdir}"/usr/share/licenses/openvpn/ + ln -sf /usr/share/doc/openvpn/{COPYING,COPYRIGHT.GPL} "${pkgdir}"/usr/share/licenses/openvpn/ + + cd "${srcdir}"/${_pkgname} + + # Install examples + install -d -m0755 "${pkgdir}"/usr/share/openvpn + cp -r sample/sample-config-files "${pkgdir}"/usr/share/openvpn/examples + + # Install contrib + for FILE in $(find contrib -type f); do + case "$(file --brief --mime-type --no-sandbox "${FILE}")" in + "text/x-shellscript") + install -D -m0755 "${FILE}" "${pkgdir}/usr/share/openvpn/${FILE}" ;; + *) + install -D -m0644 "${FILE}" "${pkgdir}/usr/share/openvpn/${FILE}" ;; + esac + done +} diff --git a/openvpn.install b/openvpn.install new file mode 100644 index 000000000000..09ded1e5f121 --- /dev/null +++ b/openvpn.install @@ -0,0 +1,12 @@ +#!/bin/sh + +post_upgrade() { + # return if old package version greater 2.5.0-1... + (( $(vercmp $2 '2.5.0-1') > 0 )) && return + + echo ':: OpenVPN now uses a netlink interface for network configuration. The systemd' + echo " units start the process with a dedicated unprivileged user 'openvpn', with" + echo ' extra capabilities(7). The configuration should no longer drop privileges,' + echo " so remove 'user' and 'group' directives." + echo ' Scripts that require elevated privileges may need a workaround.' +} diff --git a/sysusers.conf b/sysusers.conf new file mode 100644 index 000000000000..51864badbf6d --- /dev/null +++ b/sysusers.conf @@ -0,0 +1 @@ +u openvpn - "OpenVPN" diff --git a/tmpfiles.conf b/tmpfiles.conf new file mode 100644 index 000000000000..be1386ad9368 --- /dev/null +++ b/tmpfiles.conf @@ -0,0 +1,4 @@ +d /etc/openvpn/client 0750 openvpn network - +d /etc/openvpn/server 0750 openvpn network - +d /run/openvpn-client 0750 openvpn network - +d /run/openvpn-server 0750 openvpn network - |