diff options
| author | David Sommerseth <dazo@users.sourceforge.net> | 2014-05-02 02:28:24 +0200 |
|---|---|---|
| committer | Gert Doering <gert@greenie.muc.de> | 2014-06-22 19:22:09 +0200 |
| commit | 4978dadaed4ecf1b9dd256f57c6a5c895691580b (patch) | |
| tree | ff5053f40cc3de9af89b23114c36d83217e4f400 | |
| parent | 70f1864188ad00451683cabf51e56b7730250c40 (diff) | |
| download | openvpn-4978dadaed4ecf1b9dd256f57c6a5c895691580b.tar.gz openvpn-4978dadaed4ecf1b9dd256f57c6a5c895691580b.tar.xz openvpn-4978dadaed4ecf1b9dd256f57c6a5c895691580b.zip | |
Improve error reporting on file access to --client-config-dir and --ccd-exclusive
OpenVPN will do some simple sanity checking at startup to ensure
the expected files and directories is in place. However, with
--client-config-dir and --ccd-exclusive, things are slightly different.
In both cases it is perfectly fine that files does not exists, and we
cannot know any file names beforehand due to these filenames being based
upon the certificate's CN field.
The problem arises when OpenVPN cannot open files inside a directory
because the directory permissions are too restrictive, have wrong
ownership (triggered by the usage of --user/--group) or other security
mechanisms the OS uses.
When a client connects, the test_file() function is used to check if a
client config file has been prepared. And if not, it continues without
trying to read it. So, if the privileges of the running OpenVPN process
is not allowed to open and read an existing file, OpenVPN will treat this
as a non-existing file without saying anything. This is clearly wrong.
So this patch adds an warning message in the OpenVPN log if it could
not open the file due to lack of permissions.
This will work fine on all *nix based OSes. Windows however reports
'no such file or directory' (errno=2/-ENOENT) even on privilege access
errors when the directory this file resides is too restrictive. But there
is no easy way to work around that. However, I believe that the initial
sanity checking at startup will catch that one, as it will check if the
directories it needs exists.
This patch has only gone through simple basic testing, with both too few
privileges and with proper privileges to the CCD directory. With wrong
privileges, the following error can be found if CN=Test client
Fri May 2 00:00:10 2014 us=281993 127.0.0.1:41017 Could not access file
'/etc/clients/Test client': Permission denied (errno=13)
[v2 - use openvpn_errno() instead of errno, for better platform support]
Trac: #277
Trac-URL: https://community.openvpn.net/openvpn/ticket/277
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1398990504-4239-1-git-send-email-dazo@users.sourceforge.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8688
Signed-off-by: Gert Doering <gert@greenie.muc.de>
| -rw-r--r-- | src/openvpn/misc.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c index 7483184..63b4c1c 100644 --- a/src/openvpn/misc.c +++ b/src/openvpn/misc.c @@ -861,6 +861,12 @@ test_file (const char *filename) fclose (fp); ret = true; } + else + { + if( openvpn_errno () == EACCES ) { + msg( M_WARN | M_ERRNO, "Could not access file '%s'", filename); + } + } } dmsg (D_TEST_FILE, "TEST FILE '%s' [%d]", |