diff options
| author | Chris Lea | 2021-06-28 22:15:51 -0700 |
|---|---|---|
| committer | Chris Lea | 2021-06-28 22:15:51 -0700 |
| commit | 45483e08174cea8b6dd15f641f344a31c694fdb3 (patch) | |
| tree | 7ca6f2c45967dbc6afc5c6315875ad0c7c3f6c79 | |
| parent | 12f4b403bf5d83a13b7cfbc13c736eb3239deaa1 (diff) | |
| download | aur-45483e08174cea8b6dd15f641f344a31c694fdb3.tar.gz | |
Make package mirror vanilla Arch Linux OpenVPN more closely.
- Update PKGBUILD to look as close as possible to the vanilla Arch
OpenVPN.
- Add additional packaging files.
- This includes the patch to run as an unprivileged user.
| -rw-r--r-- | .SRCINFO | 16 | ||||
| -rw-r--r-- | 0001-unprivileged.patch | 28 | ||||
| -rw-r--r-- | PKGBUILD | 60 | ||||
| -rw-r--r-- | openvpn.install | 12 | ||||
| -rw-r--r-- | sysusers.conf | 1 | ||||
| -rw-r--r-- | tmpfiles.conf | 4 |
6 files changed, 99 insertions, 22 deletions
@@ -1,8 +1,9 @@ pkgbase = openvpn-mbedtls pkgdesc = An easy-to-use, robust and highly configurable VPN (Virtual Private Network), linked against the mbedtls library for crypto support. pkgver = 2.5.3 - pkgrel = 1 + pkgrel = 2 url = https://openvpn.net/index.php/open-source.html + install = openvpn.install arch = x86_64 arch = armv7h arch = aarch64 @@ -10,7 +11,9 @@ pkgbase = openvpn-mbedtls makedepends = git makedepends = systemd makedepends = cmocka + makedepends = python-docutils depends = lzo + depends = lz4 depends = iproute2 depends = systemd-libs depends = mbedtls @@ -18,10 +21,15 @@ pkgbase = openvpn-mbedtls optdepends = pam: authenticate via PAM provides = openvpn=2.5.3 conflicts = openvpn - source = https://swupdate.openvpn.org/community/releases/openvpn-2.5.3.tar.xz - source = https://swupdate.openvpn.org/community/releases/openvpn-2.5.3.tar.xz.asc + source = git+https://github.com/OpenVPN/openvpn.git#tag=0071e180470e6d3a830da7b96df4ea8e510d2987?signed + source = 0001-unprivileged.patch + source = sysusers.conf + source = tmpfiles.conf validpgpkeys = F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7 - sha256sums = fb6a9943c603a1951ca13e9267653f8dd650c02f84bccd2b9d20f06a4c9c9a7e + validpgpkeys = B62E6A2B4E56570B7BDC6BE01D829EFECA562812 sha256sums = SKIP + sha256sums = 8e7d292514f30729bc37d6681789b1bfdf87a992a3aa77e2a28b8da9cd8d4bfe + sha256sums = 3646b865ac67783fafc6652589cfe2a3105ecef06f3907f33de5135815f6a621 + sha256sums = b1436f953a4f1be7083711d11928a9924993f940ff56ff92d288d6100df673fc pkgname = openvpn-mbedtls diff --git a/0001-unprivileged.patch b/0001-unprivileged.patch new file mode 100644 index 000000000000..b33de3461cb1 --- /dev/null +++ b/0001-unprivileged.patch @@ -0,0 +1,28 @@ +diff --git a/distro/systemd/openvpn-client@.service.in b/distro/systemd/openvpn-client@.service.in +index cbcef653..71aa1335 100644 +--- a/distro/systemd/openvpn-client@.service.in ++++ b/distro/systemd/openvpn-client@.service.in +@@ -11,6 +11,9 @@ Type=notify + PrivateTmp=true + WorkingDirectory=/etc/openvpn/client + ExecStart=@sbindir@/openvpn --suppress-timestamps --nobind --config %i.conf ++User=openvpn ++Group=network ++AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE + CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE + LimitNPROC=10 + DeviceAllow=/dev/null rw +diff --git a/distro/systemd/openvpn-server@.service.in b/distro/systemd/openvpn-server@.service.in +index d1cc72cb..691f369e 100644 +--- a/distro/systemd/openvpn-server@.service.in ++++ b/distro/systemd/openvpn-server@.service.in +@@ -11,6 +11,9 @@ Type=notify + PrivateTmp=true + WorkingDirectory=/etc/openvpn/server + ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf ++User=openvpn ++Group=network ++AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE + CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE + LimitNPROC=10 + DeviceAllow=/dev/null rw @@ -2,58 +2,80 @@ # Contributer: Christian Hesse <mail@eworm.de> pkgname=openvpn-mbedtls +_tag='0071e180470e6d3a830da7b96df4ea8e510d2987' # git rev-parse v${pkgver} _pkgname=openvpn crypto_library=mbedtls pkgver=2.5.3 -pkgrel=1 +pkgrel=2 pkgdesc='An easy-to-use, robust and highly configurable VPN (Virtual Private Network), linked against the mbedtls library for crypto support.' arch=('x86_64' 'armv7h' 'aarch64') url='https://openvpn.net/index.php/open-source.html' -depends=('lzo' 'iproute2' 'systemd-libs' "${crypto_library}") +depends=('lzo' 'lz4' 'iproute2' 'systemd-libs' "${crypto_library}") optdepends=('easy-rsa: easy CA and certificate handling' 'pam: authenticate via PAM') -makedepends=('git' 'systemd' 'cmocka') +makedepends=('git' 'systemd' 'cmocka' 'python-docutils') +install=openvpn.install +validpgpkeys=('F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7' # OpenVPN - Security Mailing List <security@openvpn.net> + 'B62E6A2B4E56570B7BDC6BE01D829EFECA562812') # Gert Doering <gert@v6.de> conflicts=("${_pkgname}") provides=("${_pkgname}=${pkgver}") license=('custom') -source=("https://swupdate.openvpn.org/community/releases/${_pkgname}-${pkgver}.tar.xz"{,.asc}) -sha256sums=("fb6a9943c603a1951ca13e9267653f8dd650c02f84bccd2b9d20f06a4c9c9a7e" - "SKIP") -validpgpkeys=('F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7') +source=("git+https://github.com/OpenVPN/openvpn.git#tag=${_tag}?signed" + '0001-unprivileged.patch' + 'sysusers.conf' + 'tmpfiles.conf') +sha256sums=('SKIP' + '8e7d292514f30729bc37d6681789b1bfdf87a992a3aa77e2a28b8da9cd8d4bfe' + '3646b865ac67783fafc6652589cfe2a3105ecef06f3907f33de5135815f6a621' + 'b1436f953a4f1be7083711d11928a9924993f940ff56ff92d288d6100df673fc') + +prepare() { + cd "${srcdir}"/${_pkgname} + + # https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19302.html + sed -i '/^CONFIGURE_DEFINES=/s/set/env/g' configure.ac + + # start with unprivileged user and keep granted privileges + patch -Np1 < ../0001-unprivileged.patch + + autoreconf --force --install +} build() { - cd "${srcdir}"/${_pkgname}-${pkgver} + mkdir "${srcdir}"/build + cd "${srcdir}"/build - CONFIG_SHELL=/bin/bash "${srcdir}"/${_pkgname}-${pkgver}/configure \ - CONFIG_SHELL=/bin/bash \ + "${srcdir}"/openvpn/configure \ --prefix=/usr \ --sbindir=/usr/bin \ - --enable-iproute2 \ --with-crypto-library=${crypto_library} \ + --enable-iproute2 \ --enable-plugins \ --enable-systemd make } check() { - cd "${srcdir}"/${_pkgname}-${pkgver} + cd "${srcdir}"/build + make check } package() { - cd "${srcdir}"/${_pkgname}-${pkgver} + cd "${srcdir}"/build # Install openvpn make DESTDIR="${pkgdir}" install - # Create empty configuration directories - install -d -m0750 -g 90 "${pkgdir}"/etc/openvpn/{client,server} + # Install sysusers and tmpfiles files + install -D -m0644 ../sysusers.conf "${pkgdir}"/usr/lib/sysusers.d/openvpn.conf + install -D -m0644 ../tmpfiles.conf "${pkgdir}"/usr/lib/tmpfiles.d/openvpn.conf # Install license install -d -m0755 "${pkgdir}"/usr/share/licenses/openvpn/ ln -sf /usr/share/doc/openvpn/{COPYING,COPYRIGHT.GPL} "${pkgdir}"/usr/share/licenses/openvpn/ - cd "${srcdir}"/${_pkgname}-${pkgver} + cd "${srcdir}"/${_pkgname} # Install examples install -d -m0755 "${pkgdir}"/usr/share/openvpn @@ -62,8 +84,10 @@ package() { # Install contrib for FILE in $(find contrib -type f); do case "$(file --brief --mime-type --no-sandbox "${FILE}")" in - "text/x-shellscript") install -D -m0755 "${FILE}" "${pkgdir}/usr/share/openvpn/${FILE}" ;; - *) install -D -m0644 "${FILE}" "${pkgdir}/usr/share/openvpn/${FILE}" ;; + "text/x-shellscript") + install -D -m0755 "${FILE}" "${pkgdir}/usr/share/openvpn/${FILE}" ;; + *) + install -D -m0644 "${FILE}" "${pkgdir}/usr/share/openvpn/${FILE}" ;; esac done } diff --git a/openvpn.install b/openvpn.install new file mode 100644 index 000000000000..09ded1e5f121 --- /dev/null +++ b/openvpn.install @@ -0,0 +1,12 @@ +#!/bin/sh + +post_upgrade() { + # return if old package version greater 2.5.0-1... + (( $(vercmp $2 '2.5.0-1') > 0 )) && return + + echo ':: OpenVPN now uses a netlink interface for network configuration. The systemd' + echo " units start the process with a dedicated unprivileged user 'openvpn', with" + echo ' extra capabilities(7). The configuration should no longer drop privileges,' + echo " so remove 'user' and 'group' directives." + echo ' Scripts that require elevated privileges may need a workaround.' +} diff --git a/sysusers.conf b/sysusers.conf new file mode 100644 index 000000000000..51864badbf6d --- /dev/null +++ b/sysusers.conf @@ -0,0 +1 @@ +u openvpn - "OpenVPN" diff --git a/tmpfiles.conf b/tmpfiles.conf new file mode 100644 index 000000000000..be1386ad9368 --- /dev/null +++ b/tmpfiles.conf @@ -0,0 +1,4 @@ +d /etc/openvpn/client 0750 openvpn network - +d /etc/openvpn/server 0750 openvpn network - +d /run/openvpn-client 0750 openvpn network - +d /run/openvpn-server 0750 openvpn network - |