Web lists-archives.com

openvpn fails to run a learn-address script




Since a few days (after an update of systemd and openvpn), openvpn fails
while running the learn-address script with the following message:

Feb 25 09:07:56 vpn openvpn[27220]: sudo: unable to send audit message
Feb 25 09:07:56 vpn openvpn[27220]: sudo: pam_open_session: System error
Feb 25 09:07:56 vpn openvpn[27220]: sudo: policy plugin failed session initialization


I found the following bug reports, that may be related and make me assume that systemd is causing the error:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=792653

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868806

As a work around, openvpn is now running as superuser, instead of user
vpn. However, I would like to change this back.



I tried to give appropriate rights to the daemon using an override-file

/etc/systemd/system/openvpn-server@.service.d/override.conf

and restarting the service

sudo systemctl daemon-reload

sudo service openvpn-server@clstest restart


The error persists with two different versions of override.conf

version 1:

> ProtectSystem
> <https://isms.teleseo.eu/do/edit/Bugs/ProtectSystem?topicparent=Bugs.Item2025;nowysiwyg=0>=yes
> CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE
> CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
> CAP_AUDIT_WRITE 

version 2:

> ProtectSystem
> <https://isms.teleseo.eu/do/edit/Bugs/ProtectSystem?topicparent=Bugs.Item2025;nowysiwyg=0>=no
> CapabilityBoundingSet=~


I reported the issue against 

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868806

which may have been wrong, since the bug was already closed and
downgrading to the version before the update did not resolve the issue.


I'm looking for help related to three questions:

1) How do I get additional information about what is causing the error?
Why is systemd blocking sudo despite the modifications in the override.conf

2) More generally: How can I run openvpn in a daemon as user vpn with
the ability to use sudo in a learn-address-script?

3) Would it be appropriate to file a bug report against systemd at this
stage?

Thanks in advance,

kind regards

Dominik