/[smecontribs]/rpms/smeserver-openvpn-bridge/contribs10/smeserver-openvpn-bridge-2.1-bz11335.patch
ViewVC logotype

Annotation of /rpms/smeserver-openvpn-bridge/contribs10/smeserver-openvpn-bridge-2.1-bz11335.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Tue Mar 23 20:50:08 2021 UTC (3 years, 8 months ago) by jpp
Branch: MAIN
* Tue Mar 23 2021 Jean-Philippe Pialasse <tests@pialasse.com> 2.1-12.sme
- fix permisison issue on private keys [SME: 11335]
- rework unit file
  avoid failure, add ncp cipher, add loging status
- add default cipher  AES-256-CBC - if issue with older clients < 2.4
  it is advised to set it to 'auto' or BF-CBC

1 jpp 1.1 diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/createlinks smeserver-openvpn-bridge-2.1/createlinks
2     --- smeserver-openvpn-bridge-2.1.old/createlinks 2021-03-23 15:47:30.917000000 -0400
3     +++ smeserver-openvpn-bridge-2.1/createlinks 2021-03-23 16:04:59.303000000 -0400
4     @@ -6,15 +6,6 @@
5     safe_symlink("restart", "root/etc/e-smith/events/network-create/services2adjust/openvpn-bridge");
6     safe_symlink("restart", "root/etc/e-smith/events/network-delete/services2adjust/openvpn-bridge");
7    
8     -#service_link_enhanced("openvpn-bridge", "S80", "7");
9     -#service_link_enhanced("openvpn-bridge", "K25", "6");
10     -#service_link_enhanced("openvpn-bridge", "K25", "0");
11     -
12     -
13     -#safe_symlink("../daemontools" , 'root/etc/rc.d/init.d/supervise/openvpn-bridge');
14     -safe_symlink("/var/service/openvpn-bridge" , 'root/service/openvpn-bridge');
15     -
16     -safe_touch("root/var/service/openvpn-bridge/down");
17    
18     panel_link("openvpnbridge", 'manager');
19    
20     @@ -46,8 +37,8 @@
21     }
22    
23     #action needed in case we have a systemd unit
24     -event_link("systemd-default", $event, "10");
25     -event_link("systemd-reload", $event, "50");
26     +event_link("systemd-default", $event, "88");
27     +event_link("systemd-reload", $event, "89");
28    
29     #action specific to this package
30     event_link("openvpn-bridge-update", $event, "60");
31     diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/cipher smeserver-openvpn-bridge-2.1/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/cipher
32     --- smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/cipher 1969-12-31 19:00:00.000000000 -0500
33     +++ smeserver-openvpn-bridge-2.1/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/cipher 2021-03-23 16:37:14.278000000 -0400
34     @@ -0,0 +1 @@
35     +AES-256-CBC
36     diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/root/usr/lib/systemd/system/openvpn-bridge.service smeserver-openvpn-bridge-2.1/root/usr/lib/systemd/system/openvpn-bridge.service
37     --- smeserver-openvpn-bridge-2.1.old/root/usr/lib/systemd/system/openvpn-bridge.service 2021-03-23 15:47:30.918000000 -0400
38     +++ smeserver-openvpn-bridge-2.1/root/usr/lib/systemd/system/openvpn-bridge.service 2021-03-23 16:42:01.732000000 -0400
39     @@ -1,9 +1,27 @@
40     [Unit]
41     Description=OpenVPN Server to Server
42     After=network.service
43     +After=bridge.service
44     +Require=bridge.service
45     +
46     [Service]
47     -Type=forking
48     -ExecStart=/usr/sbin/systemd/openvpn-bridge
49     +Type=notify
50     +PrivateTmp=true
51     +WorkingDirectory=/etc/openvpn/bridge
52     +
53     +ExecStart=/usr/sbin/openvpn --status /var/log/openvpn-bridge/status.log --status-version 2 --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC --config /etc/openvpn/bridge/openvpn.conf --cd /etc/openvpn/bridge
54     +
55     +PrivateTmp=true
56     +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
57     +LimitNPROC=10
58     +DeviceAllow=/dev/null rw
59     +DeviceAllow=/dev/net/tun rw
60     +ProtectSystem=true
61     +ProtectHome=true
62     +KillMode=process
63     +RestartSec=5s
64     +Restart=on-failure
65     +
66     [Install]
67     WantedBy=sme-server.target
68    
69     diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/root/usr/sbin/systemd/openvpn-bridge smeserver-openvpn-bridge-2.1/root/usr/sbin/systemd/openvpn-bridge
70     --- smeserver-openvpn-bridge-2.1.old/root/usr/sbin/systemd/openvpn-bridge 2021-03-23 15:47:30.918000000 -0400
71     +++ smeserver-openvpn-bridge-2.1/root/usr/sbin/systemd/openvpn-bridge 1969-12-31 19:00:00.000000000 -0500
72     @@ -1,5 +0,0 @@
73     -#!/bin/sh
74     -
75     -exec 2>&1
76     -
77     -exec /usr/sbin/openvpn --config /etc/openvpn/bridge/openvpn.conf --cd /etc/openvpn/bridge
78     diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/openvpnbridge.pm smeserver-openvpn-bridge-2.1/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/openvpnbridge.pm
79     --- smeserver-openvpn-bridge-2.1.old/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/openvpnbridge.pm 2013-11-11 12:27:02.000000000 -0500
80     +++ smeserver-openvpn-bridge-2.1/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/openvpnbridge.pm 2021-03-23 16:42:01.498000000 -0400
81     @@ -650,7 +650,8 @@
82     }
83     print KEY $key;
84     close KEY;
85     -
86     + chmod(0600, "$privdir/key.pem" );
87     + esmith::util::chownFile("root", "root","$privdir/key.pem" );
88     if (! open (DH, ">$pubdir/dh.pem")){
89     $fm->error('ERROR_OPEN_DH','FIRST');
90     # Tell the user something bad has happened
91     @@ -666,6 +667,8 @@
92     }
93     print TA $ta;
94     close TA;
95     + chmod(0600, "$privdir/takey.pem" );
96     + esmith::util::chownFile("root", "root","$privdir/takey.pem" );
97    
98     # Restrict permissions on sensitive data
99     esmith::util::chownFile("root", "root","$privdir");
100     diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/root/var/service/openvpn-bridge/log/run smeserver-openvpn-bridge-2.1/root/var/service/openvpn-bridge/log/run
101     --- smeserver-openvpn-bridge-2.1.old/root/var/service/openvpn-bridge/log/run 2013-11-11 12:27:02.000000000 -0500
102     +++ smeserver-openvpn-bridge-2.1/root/var/service/openvpn-bridge/log/run 1969-12-31 19:00:00.000000000 -0500
103     @@ -1,23 +0,0 @@
104     -#!/bin/sh
105     -
106     -#----------------------------------------------------------------------
107     -# copyright (C) 2003-2006 Mitel Networks Corporation
108     -#
109     -# This program is free software; you can redistribute it and/or modify
110     -# it under the terms of the GNU General Public License as published by
111     -# the Free Software Foundation; either version 2 of the License, or
112     -# (at your option) any later version.
113     -#
114     -# This program is distributed in the hope that it will be useful,
115     -# but WITHOUT ANY WARRANTY; without even the implied warranty of
116     -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
117     -# GNU General Public License for more details.
118     -#
119     -# You should have received a copy of the GNU General Public License
120     -# along with this program; if not, write to the Free Software
121     -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
122     -#----------------------------------------------------------------------
123     -exec \
124     - /usr/local/bin/setuidgid smelog \
125     - /usr/local/bin/multilog t s5000000 \
126     - /var/log/openvpn-bridge
127     diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/root/var/service/openvpn-bridge/run smeserver-openvpn-bridge-2.1/root/var/service/openvpn-bridge/run
128     --- smeserver-openvpn-bridge-2.1.old/root/var/service/openvpn-bridge/run 2013-11-11 12:27:01.000000000 -0500
129     +++ smeserver-openvpn-bridge-2.1/root/var/service/openvpn-bridge/run 1969-12-31 19:00:00.000000000 -0500
130     @@ -1,10 +0,0 @@
131     -#!/bin/sh
132     -
133     -exec 2>&1
134     -
135     -BRIDGE=$(/sbin/e-smith/db configuration getprop bridge status)
136     -
137     -[ $BRIDGE == 'enabled' ] || exit 1
138     -
139     -exec /usr/sbin/openvpn --config /etc/openvpn/bridge/openvpn.conf --cd /etc/openvpn/bridge
140     -

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed