initial commit

Signed-off-by: s3rj1k <evasive.gyron@gmail.com>

6 files changed, 172 insertions, 0 deletions

diff --git a/.SRCINFO b/.SRCINFO
new file mode 100644
index 000000000000..f4a4d06f0196
--- /dev/null
+++ b/.SRCINFO
@@ -0,0 +1,35 @@
+pkgbase = openvpn-password-save
+	pkgdesc = An easy-to-use, robust and highly configurable VPN (Virtual Private Network)
+	pkgver = 2.5.0
+	pkgrel = 1
+	url = https://openvpn.net/index.php/open-source.html
+	install = openvpn.install
+	arch = x86_64
+	license = custom
+	makedepends = git
+	makedepends = systemd
+	makedepends = python-docutils
+	depends = openssl
+	depends = lzo
+	depends = lz4
+	depends = systemd-libs
+	depends = libsystemd.so
+	depends = pkcs11-helper
+	depends = libpkcs11-helper.so
+	optdepends = easy-rsa: easy CA and certificate handling
+	optdepends = pam: authenticate via PAM
+	provides = openvpn
+	conflicts = openvpn
+	source = git+https://github.com/OpenVPN/openvpn.git#tag=v2.5.0?signed
+	source = 0001-unprivileged.patch
+	source = sysusers.conf
+	source = tmpfiles.conf
+	validpgpkeys = F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7
+	validpgpkeys = B62E6A2B4E56570B7BDC6BE01D829EFECA562812
+	sha256sums = SKIP
+	sha256sums = 8e7d292514f30729bc37d6681789b1bfdf87a992a3aa77e2a28b8da9cd8d4bfe
+	sha256sums = 3646b865ac67783fafc6652589cfe2a3105ecef06f3907f33de5135815f6a621
+	sha256sums = b1436f953a4f1be7083711d11928a9924993f940ff56ff92d288d6100df673fc
+
+pkgname = openvpn-password-save
+
diff --git a/0001-unprivileged.patch b/0001-unprivileged.patch
new file mode 100644
index 000000000000..b33de3461cb1
--- /dev/null
+++ b/0001-unprivileged.patch
@@ -0,0 +1,28 @@
+diff --git a/distro/systemd/openvpn-client@.service.in b/distro/systemd/openvpn-client@.service.in
+index cbcef653..71aa1335 100644
+--- a/distro/systemd/openvpn-client@.service.in
++++ b/distro/systemd/openvpn-client@.service.in
+@@ -11,6 +11,9 @@ Type=notify
+ PrivateTmp=true
+ WorkingDirectory=/etc/openvpn/client
+ ExecStart=@sbindir@/openvpn --suppress-timestamps --nobind --config %i.conf
++User=openvpn
++Group=network
++AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
+ CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
+ LimitNPROC=10
+ DeviceAllow=/dev/null rw
+diff --git a/distro/systemd/openvpn-server@.service.in b/distro/systemd/openvpn-server@.service.in
+index d1cc72cb..691f369e 100644
+--- a/distro/systemd/openvpn-server@.service.in
++++ b/distro/systemd/openvpn-server@.service.in
+@@ -11,6 +11,9 @@ Type=notify
+ PrivateTmp=true
+ WorkingDirectory=/etc/openvpn/server
+ ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf
++User=openvpn
++Group=network
++AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
+ CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
+ LimitNPROC=10
+ DeviceAllow=/dev/null rw
diff --git a/PKGBUILD b/PKGBUILD
new file mode 100644
index 000000000000..fbe253779299
--- /dev/null
+++ b/PKGBUILD
@@ -0,0 +1,92 @@
+# Maintainer: s3rj1k <evasive.gyron@gmail.com>
+
+pkgname=openvpn-password-save
+_pkgname=openvpn
+pkgver=2.5.0
+pkgrel=1
+pkgdesc='An easy-to-use, robust and highly configurable VPN (Virtual Private Network)'
+arch=('x86_64')
+url='https://openvpn.net/index.php/open-source.html'
+license=('custom')
+depends=('openssl' 'lzo' 'lz4' 'systemd-libs' 'libsystemd.so' 'pkcs11-helper' 'libpkcs11-helper.so')
+conflicts=('openvpn')
+provides=('openvpn')
+optdepends=('easy-rsa: easy CA and certificate handling'
+            'pam: authenticate via PAM')
+makedepends=('git' 'systemd' 'python-docutils')
+install=openvpn.install
+validpgpkeys=('F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7'  # OpenVPN - Security Mailing List <security@openvpn.net>
+              'B62E6A2B4E56570B7BDC6BE01D829EFECA562812') # Gert Doering <gert@v6.de>
+source=("git+https://github.com/OpenVPN/openvpn.git#tag=v${pkgver}?signed"
+        '0001-unprivileged.patch'
+        'sysusers.conf'
+        'tmpfiles.conf')
+sha256sums=('SKIP'
+            '8e7d292514f30729bc37d6681789b1bfdf87a992a3aa77e2a28b8da9cd8d4bfe'
+            '3646b865ac67783fafc6652589cfe2a3105ecef06f3907f33de5135815f6a621'
+            'b1436f953a4f1be7083711d11928a9924993f940ff56ff92d288d6100df673fc')
+
+prepare() {
+  cd "${srcdir}"/${_pkgname}
+
+  # https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19302.html
+  sed -i '/^CONFIGURE_DEFINES=/s/set/env/g' configure.ac
+
+  # start with unprivileged user and keep granted privileges
+  patch -Np1 < ../0001-unprivileged.patch
+
+  autoreconf --force --install
+}
+
+build() {
+  mkdir "${srcdir}"/build
+  cd "${srcdir}"/build
+
+  "${srcdir}"/openvpn/configure \
+    --prefix=/usr \
+    --sbindir=/usr/bin \
+    --enable-iproute2 \
+    --enable-pkcs11 \
+    --enable-plugins \
+    --enable-systemd \
+    --enable-password-save \
+    --enable-x509-alt-username
+  make
+}
+
+check() {
+  cd "${srcdir}"/build
+
+  make check
+}
+
+package() {
+  cd "${srcdir}"/build
+
+  # Install openvpn
+  make DESTDIR="${pkgdir}" install
+
+  # Install sysusers and tmpfiles files
+  install -D -m0644 ../sysusers.conf "${pkgdir}"/usr/lib/sysusers.d/openvpn.conf
+  install -D -m0644 ../tmpfiles.conf "${pkgdir}"/usr/lib/tmpfiles.d/openvpn.conf
+
+  # Install license
+  install -d -m0755 "${pkgdir}"/usr/share/licenses/openvpn/
+  ln -sf /usr/share/doc/openvpn/{COPYING,COPYRIGHT.GPL} "${pkgdir}"/usr/share/licenses/openvpn/
+
+  cd "${srcdir}"/${_pkgname}
+
+  # Install examples
+  install -d -m0755 "${pkgdir}"/usr/share/openvpn
+  cp -r sample/sample-config-files "${pkgdir}"/usr/share/openvpn/examples
+
+  # Install contrib
+  for FILE in $(find contrib -type f); do
+    case "$(file --brief --mime-type --no-sandbox "${FILE}")" in
+      "text/x-shellscript")
+        install -D -m0755 "${FILE}" "${pkgdir}/usr/share/openvpn/${FILE}" ;;
+      *)
+        install -D -m0644 "${FILE}" "${pkgdir}/usr/share/openvpn/${FILE}" ;;
+    esac
+  done
+}
diff --git a/openvpn.install b/openvpn.install
new file mode 100644
index 000000000000..09ded1e5f121
--- /dev/null
+++ b/openvpn.install
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+post_upgrade() {
+  # return if old package version greater 2.5.0-1...
+  (( $(vercmp $2 '2.5.0-1') > 0 )) && return
+
+  echo ':: OpenVPN now uses a netlink interface for network configuration. The systemd'
+  echo "   units start the process with a dedicated unprivileged user 'openvpn', with"
+  echo '   extra capabilities(7). The configuration should no longer drop privileges,'
+  echo "   so remove 'user' and 'group' directives."
+  echo '   Scripts that require elevated privileges may need a workaround.'
+}
diff --git a/sysusers.conf b/sysusers.conf
new file mode 100644
index 000000000000..51864badbf6d
--- /dev/null
+++ b/sysusers.conf
@@ -0,0 +1 @@
+u openvpn - "OpenVPN"
diff --git a/tmpfiles.conf b/tmpfiles.conf
new file mode 100644
index 000000000000..be1386ad9368
--- /dev/null
+++ b/tmpfiles.conf
@@ -0,0 +1,4 @@
+d /etc/openvpn/client 0750 openvpn network -
+d /etc/openvpn/server 0750 openvpn network -
+d /run/openvpn-client 0750 openvpn network -
+d /run/openvpn-server 0750 openvpn network -