Package: openvpn Version: 2.5~rc2-1 Severity: normal Tags: upstream security X-Debbugs-Cc: deb...@dirdi.name, Debian Security Team <t...@security.debian.org>
OpenVPN's man page suggests to run the daemon as nobody.nogroup. This is a bad habit since other daemons that also run as nobody.nogroup could interfere with the OpenVPN daemon. Instead OpenVPN should add a dedicated system user during installation: > adduser --quiet --system --group --home /nonexistent --no-create-home > Debian-openvpn The advice to the user should then be to run the daemon as Debian-openvpn.Debian-openvpn instead of nobody.nogroup. Therefore the man page should be patched: - This option can be combined with --user nobody to allow restarts triggered by the SIGUSR1 signal. + This option can be combined with --user Debian-openvpn to allow restarts triggered by the SIGUSR1 signal. ... and: - By setting user to nobody or somebody similarly unprivileged, the hostile party would be limited in what damage they could cause. + By setting user to Debian-openvpn, the hostile party would be limited in what damage they could cause. ... as well as the following sample configuration files: /usr/share/doc/openvpn/examples/sample-config-files/client.conf /usr/share/doc/openvpn/examples/sample-config-files/server.conf /usr/share/doc/openvpn/examples/sample-config-files/tls-home.conf /usr/share/doc/openvpn/examples/sample-config-files/tls-home.conf /usr/share/doc/openvpn/examples/sample-config-files/tls-office.conf /usr/share/doc/openvpn/examples/sample-config-files/tls-office.conf /usr/share/doc/openvpn/examples/sample-config-files/xinetd-client-config /usr/share/doc/openvpn/examples/sample-config-files/xinetd-server-config Upstream bugreport: https://community.openvpn.net/openvpn/ticket/1335 -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (500, 'testing'), (50, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.8.0-2-amd64 (SMP w/8 CPU threads) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages openvpn depends on: ii debconf [debconf-2.0] 1.5.74 ii iproute2 5.8.0-1 ii libc6 2.31-3 ii liblz4-1 1.9.2-2 ii liblzo2-2 2.10-2 ii libpam0g 1.3.1-5 ii libpkcs11-helper1 1.26-1+b1 ii libssl1.1 1.1.1g-1 ii libsystemd0 246.6-1 ii lsb-base 11.1.0 Versions of packages openvpn recommends: ii easy-rsa 3.0.6-1 Versions of packages openvpn suggests: ii openssl 1.1.1g-1 pn openvpn-systemd-resolved <none> pn resolvconf <none> -- debconf information excluded
