/[smecontribs]/rpms/smeserver-openvpn-bridge/contribs10/smeserver-openvpn-bridge-2.1-bz11335.patch
ViewVC logotype

Contents of /rpms/smeserver-openvpn-bridge/contribs10/smeserver-openvpn-bridge-2.1-bz11335.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download)
Tue Mar 23 20:50:08 2021 UTC (3 years, 8 months ago) by jpp
Branch: MAIN
* Tue Mar 23 2021 Jean-Philippe Pialasse <tests@pialasse.com> 2.1-12.sme
- fix permisison issue on private keys [SME: 11335]
- rework unit file
  avoid failure, add ncp cipher, add loging status
- add default cipher  AES-256-CBC - if issue with older clients < 2.4
  it is advised to set it to 'auto' or BF-CBC

1 diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/createlinks smeserver-openvpn-bridge-2.1/createlinks
2 --- smeserver-openvpn-bridge-2.1.old/createlinks 2021-03-23 15:47:30.917000000 -0400
3 +++ smeserver-openvpn-bridge-2.1/createlinks 2021-03-23 16:04:59.303000000 -0400
4 @@ -6,15 +6,6 @@
5 safe_symlink("restart", "root/etc/e-smith/events/network-create/services2adjust/openvpn-bridge");
6 safe_symlink("restart", "root/etc/e-smith/events/network-delete/services2adjust/openvpn-bridge");
7
8 -#service_link_enhanced("openvpn-bridge", "S80", "7");
9 -#service_link_enhanced("openvpn-bridge", "K25", "6");
10 -#service_link_enhanced("openvpn-bridge", "K25", "0");
11 -
12 -
13 -#safe_symlink("../daemontools" , 'root/etc/rc.d/init.d/supervise/openvpn-bridge');
14 -safe_symlink("/var/service/openvpn-bridge" , 'root/service/openvpn-bridge');
15 -
16 -safe_touch("root/var/service/openvpn-bridge/down");
17
18 panel_link("openvpnbridge", 'manager');
19
20 @@ -46,8 +37,8 @@
21 }
22
23 #action needed in case we have a systemd unit
24 -event_link("systemd-default", $event, "10");
25 -event_link("systemd-reload", $event, "50");
26 +event_link("systemd-default", $event, "88");
27 +event_link("systemd-reload", $event, "89");
28
29 #action specific to this package
30 event_link("openvpn-bridge-update", $event, "60");
31 diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/cipher smeserver-openvpn-bridge-2.1/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/cipher
32 --- smeserver-openvpn-bridge-2.1.old/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/cipher 1969-12-31 19:00:00.000000000 -0500
33 +++ smeserver-openvpn-bridge-2.1/root/etc/e-smith/db/configuration/defaults/openvpn-bridge/cipher 2021-03-23 16:37:14.278000000 -0400
34 @@ -0,0 +1 @@
35 +AES-256-CBC
36 diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/root/usr/lib/systemd/system/openvpn-bridge.service smeserver-openvpn-bridge-2.1/root/usr/lib/systemd/system/openvpn-bridge.service
37 --- smeserver-openvpn-bridge-2.1.old/root/usr/lib/systemd/system/openvpn-bridge.service 2021-03-23 15:47:30.918000000 -0400
38 +++ smeserver-openvpn-bridge-2.1/root/usr/lib/systemd/system/openvpn-bridge.service 2021-03-23 16:42:01.732000000 -0400
39 @@ -1,9 +1,27 @@
40 [Unit]
41 Description=OpenVPN Server to Server
42 After=network.service
43 +After=bridge.service
44 +Require=bridge.service
45 +
46 [Service]
47 -Type=forking
48 -ExecStart=/usr/sbin/systemd/openvpn-bridge
49 +Type=notify
50 +PrivateTmp=true
51 +WorkingDirectory=/etc/openvpn/bridge
52 +
53 +ExecStart=/usr/sbin/openvpn --status /var/log/openvpn-bridge/status.log --status-version 2 --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC --config /etc/openvpn/bridge/openvpn.conf --cd /etc/openvpn/bridge
54 +
55 +PrivateTmp=true
56 +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
57 +LimitNPROC=10
58 +DeviceAllow=/dev/null rw
59 +DeviceAllow=/dev/net/tun rw
60 +ProtectSystem=true
61 +ProtectHome=true
62 +KillMode=process
63 +RestartSec=5s
64 +Restart=on-failure
65 +
66 [Install]
67 WantedBy=sme-server.target
68
69 diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/root/usr/sbin/systemd/openvpn-bridge smeserver-openvpn-bridge-2.1/root/usr/sbin/systemd/openvpn-bridge
70 --- smeserver-openvpn-bridge-2.1.old/root/usr/sbin/systemd/openvpn-bridge 2021-03-23 15:47:30.918000000 -0400
71 +++ smeserver-openvpn-bridge-2.1/root/usr/sbin/systemd/openvpn-bridge 1969-12-31 19:00:00.000000000 -0500
72 @@ -1,5 +0,0 @@
73 -#!/bin/sh
74 -
75 -exec 2>&1
76 -
77 -exec /usr/sbin/openvpn --config /etc/openvpn/bridge/openvpn.conf --cd /etc/openvpn/bridge
78 diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/openvpnbridge.pm smeserver-openvpn-bridge-2.1/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/openvpnbridge.pm
79 --- smeserver-openvpn-bridge-2.1.old/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/openvpnbridge.pm 2013-11-11 12:27:02.000000000 -0500
80 +++ smeserver-openvpn-bridge-2.1/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/openvpnbridge.pm 2021-03-23 16:42:01.498000000 -0400
81 @@ -650,7 +650,8 @@
82 }
83 print KEY $key;
84 close KEY;
85 -
86 + chmod(0600, "$privdir/key.pem" );
87 + esmith::util::chownFile("root", "root","$privdir/key.pem" );
88 if (! open (DH, ">$pubdir/dh.pem")){
89 $fm->error('ERROR_OPEN_DH','FIRST');
90 # Tell the user something bad has happened
91 @@ -666,6 +667,8 @@
92 }
93 print TA $ta;
94 close TA;
95 + chmod(0600, "$privdir/takey.pem" );
96 + esmith::util::chownFile("root", "root","$privdir/takey.pem" );
97
98 # Restrict permissions on sensitive data
99 esmith::util::chownFile("root", "root","$privdir");
100 diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/root/var/service/openvpn-bridge/log/run smeserver-openvpn-bridge-2.1/root/var/service/openvpn-bridge/log/run
101 --- smeserver-openvpn-bridge-2.1.old/root/var/service/openvpn-bridge/log/run 2013-11-11 12:27:02.000000000 -0500
102 +++ smeserver-openvpn-bridge-2.1/root/var/service/openvpn-bridge/log/run 1969-12-31 19:00:00.000000000 -0500
103 @@ -1,23 +0,0 @@
104 -#!/bin/sh
105 -
106 -#----------------------------------------------------------------------
107 -# copyright (C) 2003-2006 Mitel Networks Corporation
108 -#
109 -# This program is free software; you can redistribute it and/or modify
110 -# it under the terms of the GNU General Public License as published by
111 -# the Free Software Foundation; either version 2 of the License, or
112 -# (at your option) any later version.
113 -#
114 -# This program is distributed in the hope that it will be useful,
115 -# but WITHOUT ANY WARRANTY; without even the implied warranty of
116 -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
117 -# GNU General Public License for more details.
118 -#
119 -# You should have received a copy of the GNU General Public License
120 -# along with this program; if not, write to the Free Software
121 -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
122 -#----------------------------------------------------------------------
123 -exec \
124 - /usr/local/bin/setuidgid smelog \
125 - /usr/local/bin/multilog t s5000000 \
126 - /var/log/openvpn-bridge
127 diff -Nur --no-dereference smeserver-openvpn-bridge-2.1.old/root/var/service/openvpn-bridge/run smeserver-openvpn-bridge-2.1/root/var/service/openvpn-bridge/run
128 --- smeserver-openvpn-bridge-2.1.old/root/var/service/openvpn-bridge/run 2013-11-11 12:27:01.000000000 -0500
129 +++ smeserver-openvpn-bridge-2.1/root/var/service/openvpn-bridge/run 1969-12-31 19:00:00.000000000 -0500
130 @@ -1,10 +0,0 @@
131 -#!/bin/sh
132 -
133 -exec 2>&1
134 -
135 -BRIDGE=$(/sbin/e-smith/db configuration getprop bridge status)
136 -
137 -[ $BRIDGE == 'enabled' ] || exit 1
138 -
139 -exec /usr/sbin/openvpn --config /etc/openvpn/bridge/openvpn.conf --cd /etc/openvpn/bridge
140 -

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed