security/openvpn: create and use dedicated openvpn user

PR: 259384
2025-07-18 09:49:18 -04:00 · 2021-10-31 18:37:47 +01:00 · 2021-10-31 18:37:47 +01:00 · bb6ec079c5
commit bb6ec079c5
parent f206959738
7 changed files with 89 additions and 11 deletions
--- a/2
+++ b/2
@ -240,7 +240,7 @@ conduit:*:297:
 neolink:*:298:
 owncast:*:299:
 backuppc:*:300:
-# free: 301
+openvpn:*:301:
 netdata:*:302:
 # free: 303
 # free: 304
--- a/2
+++ b/2
@ -245,7 +245,7 @@ conduit:*:297:297::0:0:Conduit daemon:/var/db/conduit:/usr/sbin/nologin
 neolink:*:298:298::0:0:& daemon:/nonexistent:/usr/sbin/nologin
 owncast:*:299:299::0:0:& daemon:/nonexistent:/usr/sbin/nologin
 backuppc:*:300:300::0:0:BackupPC pseudo-user:/nonexistent:/usr/sbin/nologin
-# free: 301
+openvpn:*:301:301::0:0:OpenVPN pseudo-user:/nonexistent:/usr/sbin/nologin
 netdata:*:302:302::0:0:NetData Daemon:/var/cache/netdata:/usr/sbin/nologin
 # free: 303
 # free: 304
--- a/security/openvpn/Makefile
+++ b/security/openvpn/Makefile
@ -2,7 +2,7 @@
 PORTNAME=		openvpn
 DISTVERSION=		2.5.4
-PORTREVISION?=		0
+PORTREVISION?=		1
 CATEGORIES=		security net net-vpn
 MASTER_SITES=		https://swupdate.openvpn.org/community/releases/ \
 			https://build.openvpn.net/downloads/releases/ \
@ -21,6 +21,9 @@ SHEBANG_FILES=		sample/sample-scripts/verify-cn \
 			sample/sample-scripts/auth-pam.pl \
 			sample/sample-scripts/ucn.pl
 USERS=			openvpn
 GROUPS=			openvpn
 GNU_CONFIGURE=		yes
 CONFIGURE_ARGS+=	--enable-strict
 # set PLUGIN_LIBDIR so that unqualified plugin paths are found:
@ -119,6 +122,13 @@ pre-configure:
 	@${ECHO} "### --------------------------------------------------------- ###"
 .endif
 post-patch:
 	${REINPLACE_CMD} -E -i '' -e 's/(user|group) nobody/\1 openvpn/' \
 		-e 's/"nobody"( after init)/"openvpn" \1/' \
 		${WRKSRC}/sample/sample-config-files/*.conf \
 		${WRKSRC}/sample/sample-config-files/xinetd-*-config \
 		${WRKSRC}/doc/man-sections/generic-options.rst
 post-configure:
 	${REINPLACE_CMD} '/^CFLAGS =/s/$$/ -fPIC/' \
 	    ${WRKSRC}/src/plugins/auth-pam/Makefile \
--- a/security/openvpn/files/patch-doc_man-sections_generic-options.rst
+++ b/security/openvpn/files/patch-doc_man-sections_generic-options.rst
@ -0,0 +1,11 @@
 --- doc/man-sections/generic-options.rst.orig	2021-10-31 16:17:17 UTC
 +++ doc/man-sections/generic-options.rst
@@ -431,7 +431,7 @@ which mode OpenVPN is configured as.
   able to gain control of an OpenVPN session. Though OpenVPN's security
   features make this unlikely, it is provided as a second line of defense.
 -  By setting ``user`` to :code:`nobody` or somebody similarly unprivileged,
 +  By setting ``user`` to :code:`openvpn` or somebody similarly unprivileged,
   the hostile party would be limited in what damage they could cause. Of
   course once you take away privileges, you cannot return them to an
   OpenVPN session. This means, for example, that if you want to reset an
--- a/security/openvpn/files/patch-doc_openvpn.8
+++ b/security/openvpn/files/patch-doc_openvpn.8
@ -0,0 +1,20 @@
 --- doc/openvpn.8.orig	2021-10-05 05:57:01 UTC
 +++ doc/openvpn.8
@@ -358,7 +358,7 @@ lower priority, \fBn\fP less than zero is higher prior
 .B \-\-persist\-key
 Don\(aqt re\-read key files across \fBSIGUSR1\fP or \fB\-\-ping\-restart\fP\&.
 .sp
 -This option can be combined with \fB\-\-user nobody\fP to allow restarts
 +This option can be combined with \fB\-\-user openvpn\fP to allow restarts
 triggered by the \fBSIGUSR1\fP signal. Normally if you drop root
 privileges in OpenVPN, the daemon cannot be restarted since it will now
 be unable to re\-read protected key files.
@@ -577,7 +577,7 @@ useful to protect the system in the event that some ho
 able to gain control of an OpenVPN session. Though OpenVPN\(aqs security
 features make this unlikely, it is provided as a second line of defense.
 .sp
 -By setting \fBuser\fP to \fBnobody\fP or somebody similarly unprivileged,
 +By setting \fBuser\fP to \fBopenvpn\fP or somebody similarly unprivileged,
 the hostile party would be limited in what damage they could cause. Of
 course once you take away privileges, you cannot return them to an
 OpenVPN session. This means, for example, that if you want to reset an
--- a/security/openvpn/files/patch-doc_openvpn.8.html
+++ b/security/openvpn/files/patch-doc_openvpn.8.html
@ -0,0 +1,20 @@
 --- doc/openvpn.8.html.orig	2021-10-05 05:57:01 UTC
 +++ doc/openvpn.8.html
@@ -650,7 +650,7 @@ lower priority, <tt class="docutils literal">n</tt> le
 <tr><td class="option-group">
 <kbd><span class="option">--persist-key</span></kbd></td>
 <td><p class="first">Don't re-read key files across <code>SIGUSR1</code> or <tt class="docutils literal"><span class="pre">--ping-restart</span></tt>.</p>
 -<p>This option can be combined with <tt class="docutils literal"><span class="pre">--user</span> nobody</tt> to allow restarts
 +<p>This option can be combined with <tt class="docutils literal"><span class="pre">--user</span> openvpn</tt> to allow restarts
 triggered by the <code>SIGUSR1</code> signal. Normally if you drop root
 privileges in OpenVPN, the daemon cannot be restarted since it will now
 be unable to re-read protected key files.</p>
@@ -824,7 +824,7 @@ initialization, dropping privileges in the process. Th
 useful to protect the system in the event that some hostile party was
 able to gain control of an OpenVPN session. Though OpenVPN's security
 features make this unlikely, it is provided as a second line of defense.</p>
 -<p class="last">By setting <tt class="docutils literal">user</tt> to <code>nobody</code> or somebody similarly unprivileged,
 +<p class="last">By setting <tt class="docutils literal">user</tt> to <code>openvpn</code> or somebody similarly unprivileged,
 the hostile party would be limited in what damage they could cause. Of
 course once you take away privileges, you cannot return them to an
 OpenVPN session. This means, for example, that if you want to reset an
--- a/security/openvpn/files/pkg-message.in
+++ b/security/openvpn/files/pkg-message.in
@ -1,17 +1,34 @@
 [
 { type: install
  message: <<EOM
-  Edit /etc/rc.conf[.local] to start OpenVPN automatically at system
+Edit /etc/rc.conf[.local] to start OpenVPN automatically at system
-  startup. See %%PREFIX%%/etc/rc.d/openvpn for details.
+startup. See %%PREFIX%%/etc/rc.d/openvpn for details.
-  Connect to VPN server as a client with this command to include
+Connect to VPN server as a client with this command to include
-  the client.up/down scripts in the initialization:
+the client.up/down scripts in the initialization:
-  openvpn-client <spec>.ovpn
+openvpn-client <spec>.ovpn
-  For compatibility notes when interoperating with older OpenVPN
+For compatibility notes when interoperating with older OpenVPN
-  versions, please see <http://openvpn.net/relnotes.html>
+versions, please see <http://openvpn.net/relnotes.html>
-  Note that OpenVPN does not officially support LibreSSL.
+Note that OpenVPN does not officially support LibreSSL.
 Note that OpenVPN configures a separate user and group "openvpn",
 which should be used instead of the NFS user "nobody"
 when an unprivileged user account is desired.
 You may want to add user openvpn and group openvpn when creating your
 configuration files, the example configuration shows this only as comments.
 EOM
 }
 { type: upgrade
  message: <<EOM
 Note that OpenVPN now configures a separate user and group "openvpn",
 which should be used instead of the NFS user "nobody"
 when an unprivileged user account is desired.
 It is advisable to review existing configuration files and
 to consider adding/changing user openvpn and group openvpn.
 EOM
 }
 ]