diff options
-rw-r--r-- | .SRCINFO | 20 | ||||
-rw-r--r-- | 0001-unprivileged.patch | 28 | ||||
-rw-r--r-- | PKGBUILD | 136 | ||||
-rw-r--r-- | openvpn.install | 12 | ||||
-rw-r--r-- | sysusers.conf | 1 | ||||
-rw-r--r-- | tmpfiles.conf | 4 |
6 files changed, 136 insertions, 65 deletions
@@ -1,26 +1,36 @@ pkgbase = openvpn-git pkgdesc = An easy-to-use, robust and highly configurable VPN (Virtual Private Network) - git checkout - pkgver = 2.4.rc2.r280.g2cea7200 + pkgver = 2.4.rc2.r864.g3b1ded39 pkgrel = 1 - url = http://openvpn.net/index.php/open-source.html + url = https://openvpn.net/index.php/open-source.html + install = openvpn.install arch = i686 arch = x86_64 license = custom makedepends = git makedepends = systemd + makedepends = python-docutils depends = openssl depends = lzo - depends = iproute2 - depends = libsystemd + depends = lz4 + depends = systemd-libs + depends = libsystemd.so depends = pkcs11-helper + depends = libpkcs11-helper.so optdepends = easy-rsa: easy CA and certificate handling optdepends = pam: authenticate via PAM provides = openvpn=2.4.0 provides = openvpn-dev conflicts = openvpn conflicts = openvpn-dev - source = git://github.com/OpenVPN/openvpn.git + source = git+https://github.com/OpenVPN/openvpn.git + source = 0001-unprivileged.patch + source = sysusers.conf + source = tmpfiles.conf sha256sums = SKIP + sha256sums = 8e7d292514f30729bc37d6681789b1bfdf87a992a3aa77e2a28b8da9cd8d4bfe + sha256sums = 3646b865ac67783fafc6652589cfe2a3105ecef06f3907f33de5135815f6a621 + sha256sums = b1436f953a4f1be7083711d11928a9924993f940ff56ff92d288d6100df673fc pkgname = openvpn-git diff --git a/0001-unprivileged.patch b/0001-unprivileged.patch new file mode 100644 index 000000000000..b33de3461cb1 --- /dev/null +++ b/0001-unprivileged.patch @@ -0,0 +1,28 @@ +diff --git a/distro/systemd/openvpn-client@.service.in b/distro/systemd/openvpn-client@.service.in +index cbcef653..71aa1335 100644 +--- a/distro/systemd/openvpn-client@.service.in ++++ b/distro/systemd/openvpn-client@.service.in +@@ -11,6 +11,9 @@ Type=notify + PrivateTmp=true + WorkingDirectory=/etc/openvpn/client + ExecStart=@sbindir@/openvpn --suppress-timestamps --nobind --config %i.conf ++User=openvpn ++Group=network ++AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE + CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE + LimitNPROC=10 + DeviceAllow=/dev/null rw +diff --git a/distro/systemd/openvpn-server@.service.in b/distro/systemd/openvpn-server@.service.in +index d1cc72cb..691f369e 100644 +--- a/distro/systemd/openvpn-server@.service.in ++++ b/distro/systemd/openvpn-server@.service.in +@@ -11,6 +11,9 @@ Type=notify + PrivateTmp=true + WorkingDirectory=/etc/openvpn/server + ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf ++User=openvpn ++Group=network ++AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE + CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE + LimitNPROC=10 + DeviceAllow=/dev/null rw @@ -1,87 +1,103 @@ # Maintainer: Christian Hesse <mail@eworm.de> pkgname=openvpn-git -pkgver=2.4.rc2.r280.g2cea7200 +pkgver=2.4.rc2.r864.g3b1ded39 pkgrel=1 pkgdesc='An easy-to-use, robust and highly configurable VPN (Virtual Private Network) - git checkout' arch=('i686' 'x86_64') -url='http://openvpn.net/index.php/open-source.html' -depends=('openssl' 'lzo' 'iproute2' 'libsystemd' 'pkcs11-helper') +url='https://openvpn.net/index.php/open-source.html' +license=('custom') +depends=('openssl' 'lzo' 'lz4' 'systemd-libs' 'libsystemd.so' 'pkcs11-helper' 'libpkcs11-helper.so') optdepends=('easy-rsa: easy CA and certificate handling' 'pam: authenticate via PAM') -makedepends=('git' 'systemd') +makedepends=('git' 'systemd' 'python-docutils') conflicts=('openvpn' 'openvpn-dev') provides=('openvpn=2.4.0' 'openvpn-dev') -license=('custom') -# for 2.4.x release branch append: #branch=release/2.4 -source=('git://github.com/OpenVPN/openvpn.git') -sha256sums=('SKIP') +install=openvpn.install +# for 2.5.x release branch append: #branch=release/2.5 +source=("git+https://github.com/OpenVPN/openvpn.git" + '0001-unprivileged.patch' + 'sysusers.conf' + 'tmpfiles.conf') +sha256sums=('SKIP' + '8e7d292514f30729bc37d6681789b1bfdf87a992a3aa77e2a28b8da9cd8d4bfe' + '3646b865ac67783fafc6652589cfe2a3105ecef06f3907f33de5135815f6a621' + 'b1436f953a4f1be7083711d11928a9924993f940ff56ff92d288d6100df673fc') pkgver() { - cd openvpn/ - - if GITTAG="$(git describe --abbrev=0 --tags 2>/dev/null)"; then - printf '%s.r%s.g%s' \ - "$(sed -e "s/^${pkgname%%-git}//" -e 's/^[-_/a-zA-Z]\+//' -e 's/[-_+]/./g' <<< ${GITTAG})" \ - "$(git rev-list --count ${GITTAG}..)" \ - "$(git log -1 --format='%h')" - else - printf '0.r%s.g%s' \ - "$(git rev-list --count master)" \ - "$(git log -1 --format='%h')" - fi + cd "${srcdir}"/openvpn + + if GITTAG="$(git describe --abbrev=0 --tags 2>/dev/null)"; then + printf '%s.r%s.g%s' \ + "$(sed -e "s/^${pkgname%%-git}//" -e 's/^[-_/a-zA-Z]\+//' -e 's/[-_+]/./g' <<< ${GITTAG})" \ + "$(git rev-list --count ${GITTAG}..)" \ + "$(git rev-parse --short HEAD)" + else + printf '0.r%s.g%s' \ + "$(git rev-list --count master)" \ + "$(git rev-parse --short HEAD)" + fi } prepare() { - cd openvpn/ + cd "${srcdir}"/openvpn + + # https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19302.html + sed -i '/^CONFIGURE_DEFINES=/s/set/env/g' configure.ac - # regenerate configure script - autoreconf -vi + # start with unprivileged user and keep granted privileges + patch -Np1 < ../0001-unprivileged.patch + + autoreconf --force --install } build() { - cd openvpn/ - - ./configure \ - --prefix=/usr \ - --sbindir=/usr/bin \ - --enable-iproute2 \ - --enable-pkcs11 \ - --enable-plugins \ - --enable-systemd \ - --enable-x509-alt-username - make + mkdir "${srcdir}"/build + cd "${srcdir}"/build + + "${srcdir}"/openvpn/configure \ + --prefix=/usr \ + --sbindir=/usr/bin \ + --enable-pkcs11 \ + --enable-plugins \ + --enable-systemd \ + --enable-x509-alt-username + make } check() { - cd openvpn/ + cd "${srcdir}"/build - make check + make check } package() { - cd openvpn/ - - # Install openvpn - make DESTDIR="${pkgdir}" install - - # Create empty configuration directories - install -d -m0750 -g 90 "${pkgdir}"/etc/openvpn/{client,server} - - # Install examples - install -d -m0755 "${pkgdir}"/usr/share/openvpn - cp -r sample/sample-config-files "${pkgdir}"/usr/share/openvpn/examples - - # Install license - install -d -m0755 "${pkgdir}"/usr/share/licenses/openvpn/ - ln -sf /usr/share/doc/openvpn/{COPYING,COPYRIGHT.GPL} "${pkgdir}"/usr/share/licenses/openvpn/ - - # Install contrib - for FILE in $(find contrib -type f); do - case "$(file --brief --mime-type "${FILE}")" in - "text/x-shellscript") install -D -m0755 "${FILE}" "${pkgdir}/usr/share/openvpn/${FILE}" ;; - *) install -D -m0644 "${FILE}" "${pkgdir}/usr/share/openvpn/${FILE}" ;; - esac - done + cd "${srcdir}"/build + + # Install openvpn + make DESTDIR="${pkgdir}" install + + # Install sysusers and tmpfiles files + install -D -m0644 ../sysusers.conf "${pkgdir}"/usr/lib/sysusers.d/openvpn.conf + install -D -m0644 ../tmpfiles.conf "${pkgdir}"/usr/lib/tmpfiles.d/openvpn.conf + + # Install license + install -d -m0755 "${pkgdir}"/usr/share/licenses/openvpn/ + ln -sf /usr/share/doc/openvpn/{COPYING,COPYRIGHT.GPL} "${pkgdir}"/usr/share/licenses/openvpn/ + + cd "${srcdir}"/openvpn + + # Install examples + install -d -m0755 "${pkgdir}"/usr/share/openvpn + cp -r sample/sample-config-files "${pkgdir}"/usr/share/openvpn/examples + + # Install contrib + for FILE in $(find contrib -type f); do + case "$(file --brief --mime-type --no-sandbox "${FILE}")" in + "text/x-shellscript") + install -D -m0755 "${FILE}" "${pkgdir}/usr/share/openvpn/${FILE}" ;; + *) + install -D -m0644 "${FILE}" "${pkgdir}/usr/share/openvpn/${FILE}" ;; + esac + done } - diff --git a/openvpn.install b/openvpn.install new file mode 100644 index 000000000000..09ded1e5f121 --- /dev/null +++ b/openvpn.install @@ -0,0 +1,12 @@ +#!/bin/sh + +post_upgrade() { + # return if old package version greater 2.5.0-1... + (( $(vercmp $2 '2.5.0-1') > 0 )) && return + + echo ':: OpenVPN now uses a netlink interface for network configuration. The systemd' + echo " units start the process with a dedicated unprivileged user 'openvpn', with" + echo ' extra capabilities(7). The configuration should no longer drop privileges,' + echo " so remove 'user' and 'group' directives." + echo ' Scripts that require elevated privileges may need a workaround.' +} diff --git a/sysusers.conf b/sysusers.conf new file mode 100644 index 000000000000..51864badbf6d --- /dev/null +++ b/sysusers.conf @@ -0,0 +1 @@ +u openvpn - "OpenVPN" diff --git a/tmpfiles.conf b/tmpfiles.conf new file mode 100644 index 000000000000..be1386ad9368 --- /dev/null +++ b/tmpfiles.conf @@ -0,0 +1,4 @@ +d /etc/openvpn/client 0750 openvpn network - +d /etc/openvpn/server 0750 openvpn network - +d /run/openvpn-client 0750 openvpn network - +d /run/openvpn-server 0750 openvpn network - |