From ef0882c8f90de0ee421ce243b263e806ffb714cc Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Iniesta Date: Thu, 13 Aug 2015 11:55:01 +0200 Subject: Fix #792907 and improve @.service options --- debian/changelog | 4 ++++ debian/openvpn@.service | 6 +++++- debian/rules | 2 +- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index 23c2b61..105b97b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,6 +3,10 @@ openvpn (2.3.8-1) unstable; urgency=medium * debian/control: Move libsystemd-daemon-dev Build-Dep to libsystemd-dev. (Closes: #791904) * New upstream release. (Closes: #791829) + * debian/rules: remove obsolete options (*-path) to configure + * openvpn@.service: Use KillMode=mixed to fix signaling of some plugins. + (Closes: #792907). Also add PrivateTmp & LimitNPROC options. + Thanks Daniel Hahler for the patch. -- Alberto Gonzalez Iniesta Mon, 10 Aug 2015 16:46:20 +0200 diff --git a/debian/openvpn@.service b/debian/openvpn@.service index 07f9e5b..b438168 100644 --- a/debian/openvpn@.service +++ b/debian/openvpn@.service @@ -7,12 +7,16 @@ Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO [Service] +PrivateTmp=true +KillMode=mixed Type=forking -ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf +ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf --writepid /run/openvpn-%i.pid +PIDFile=/run/openvpn-%i.pid ExecReload=/bin/kill -HUP $MAINPID WorkingDirectory=/etc/openvpn ProtectSystem=yes CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH +LimitNPROC=10 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw diff --git a/debian/rules b/debian/rules index ba759c2..984c60c 100755 --- a/debian/rules +++ b/debian/rules @@ -14,7 +14,7 @@ export DEB_BUILD_MAINT_OPTIONS = hardening=+all dh $@ --with systemd override_dh_auto_configure: - dh_auto_configure -- $(shell dpkg-buildflags --export=configure) --enable-password-save --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr --mandir=\$${prefix}/share/man --with-ifconfig-path=/sbin/ifconfig $(ROUTE_ARGS) --with-plugindir=\$${prefix}/lib/openvpn --includedir=\$${prefix}/include/openvpn --enable-pkcs11 --enable-x509-alt-username --enable-systemd + dh_auto_configure -- $(shell dpkg-buildflags --export=configure) --enable-password-save --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr --mandir=\$${prefix}/share/man --with-plugindir=\$${prefix}/lib/openvpn --includedir=\$${prefix}/include/openvpn --enable-pkcs11 --enable-x509-alt-username --enable-systemd override_dh_auto_build: -- cgit v1.2.3