mount in client-connect script fails

[Koni]

Hi There,
my idea is to mount client-specific volumes in ubuntu 16.04 and OpenVpn 2.3.10

So i wrote a client-connect script: it checks the connected client and should mount a volume.

the script is executed, if i try a
sudo mount -t cifs -o user=xx,password=xx,port=xxxxxx //azbycx.selfhost.eu/nas-media /home/shares/nas-media

there is an error from the mount-statement:
Unable to apply new capability set.

If i do the same mount from a standard console, the mount works.

there is no difference using "sudo mount ...." or "mount ..."

regards
Koni

[Koni]

additional info :
i upgraded OpenVPN to 2.4.1 ...
same issue ...

error "Unable to apply new capability set.", if the client-connect script contains the " mount -t cifs -o user=x......."

regards

Koni

[TinCanTech]

Specify all commands with full path. eg. /user/bin/sudo etc ..

[Koni]

i tried:
/usr/bin/sudo /bin/mount -t cifs -v -o user....

Same problem : Unable to apply new capability set.

it seems to be a problem of a security-mechanism of capability:
http://manpages.ubuntu.com/manpages/zes ... ies.7.html

http://manpages.ubuntu.com/manpages/xen ... unt.2.html
says:

Code: Select all

Appropriate privilege (Linux: the CAP_SYS_ADMIN capability) is required to mount filesystems.

how can i correct this ?

[Koni]

There is also the problem, i write the mountpoint in the fstab.

regards
Koni

[TinCanTech]

The details you have provided are a bit thin on the ground .. Please see:
HOWTO: Request Help !

error "Unable to apply new capability set."

You could add CAP_SYS_ADMIN to your unit file but the added risk is your decision to make.

[Koni]

Hi TinCanTech,
Thanks for your help.
I thought, its not necessary, to post all config-files, OpenVPN works correctly.

OpenVPN-Version

openvpn --version
OpenVPN 2.4.1 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2017
library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
Originally developed by James Yonan
Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='${prefix}/lib/openvpn' with_sysroot=no

Ubuntu-Version

lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.2 LTS
Release: 16.04
Codename: xenial

OpenVPN Server Config:

port 995
proto tcp
dev tun
ca ca.crt
cert CCRCC.crt
key CCRCC.key # This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
push 'block-outside-dns'
duplicate-cn
keepalive 10 120
tls-auth ta.key 0 # This file is secret
key-direction 0
cipher AES-128-CBC # AES
auth SHA256
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 3

script-security 3
client-connect /etc/openvpn/_connect.sh
client-disconnect /etc/openvpn/_disconnect.sh

the _connect.sh contains

echo "Start-Test" >>/etc/openvpn/log.txt
/usr/bin/sudo /bin/mount -t cifs -v -o user=xx,password=xx,port=12345 //xxxyyy.selfhost.eu/nas-media /home/shares/nas-media \
>>/etc/openvpn/log.txt 2>>/etc/openvpn/log.txt
echo "Stop-Test" >>/etc/openvpn/log.txt

If i run the _connect.sh from shell it works, the mount is available.

If _connect.sh is executet by OpenVPN when a client connects, the logfile contains:

Start-Test
Unable to apply new capability set.
Stop-Test

You wrote:
You could add CAP_SYS_ADMIN to your unit file but the added risk is your decision to make.

I found :
https://www.freedesktop.org/software/sy ... .exec.html
I could add CAP_SYS_ADMIN to a(my) specific mount point ?
How can i do that for a mount-point or generally ?
i dont know that .. no idea ..

"added risk":
Is it more risk, to have an external volume mounted all the time, or mount it only when needed and add CAP_SYS_ADMIN ?

regards
Koni

[SomeGuy]

Adding "capabilities" of "CAP_SYS_ADMIN" for openvpn and the sudo mount is likely the security risk implied.

As an alternate solution, consider reviewing the man pages for fstab and filesystem mount *options*

Many filesystems includes mount options of "noauto" and "user".

The "noauto" option means it is not mounted automatically on boot.
The "user" option allows non-root users to mount filesystems explicitly listed in the /etc/fstab

With these options in supported filesystems as options in fstab, you should not need to sudo, just the "mount" call.

Example entry in /etc/fstab to try:

Code: Select all

//xxxyyy.selfhost.eu/nas-media    /home/shares/nas-media  cifs    user=xx,password=xx,port=12345,noauto,user   0  0

Then try removing the sudo command from your script, and instead replace this:

Code: Select all

/usr/bin/sudo /bin/mount -t cifs -v -o user=xx,password=xx,port=12345 //xxxyyy.selfhost.eu/nas-media /home/shares/nas-media \
>>/etc/openvpn/log.txt 2>>/etc/openvpn/log.txt

with:

Code: Select all

/bin/mount /home/shares/nas-media

since mount will lookup the entry for how to mount "/home/shares/nas-media" and use the options specified.

Having a password for your network mount in your script or fstab is yet another security problem. (If this is a single-user system, it is not as bad as with a multi-user system, but leaving a password in-the-plain in a script or config file is pretty risky -- any change in ownership of your machine means the "evil user" also has access to your password and share and if they get your vpn private key, maybe even your access to the vpn.) An alternate to putting them in globally readable /etc/fstab is through using the cifs mount option "credentials=" which allows you to specify a file which contains credentials needed for mounting (see the man page) and then add access restrictions to who can read from that file.

If the mount is supposed to be read-only or read-write? Specify explicitly with "ro" or "rw" on the options field explicitly.

Also, it would probably be good to specify a "uid=" (in fstab for this mount) for mounting and file operations locally, too, to specify a UserID to mount for access and DAC (Discretionary Access Controls). If this is a single-user system, then have the uid=YOURUSERID so you can access files on that share as "you" no matter who tried to mount it and users that are not "you" (except root) on your box would not have access to those network files.

[Koni]

Hi SomeGuy,
thanks for you help ...
after trying that, i got the same error, but it guided me to the problem : IP6

So disable IP6

add to "sysctl.conf"

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

and reload with "sysctl -p"