Re: [Openvpn-devel] [SPAM] [PATCH] Skip tmp-dir check unless actualy used

Tue, 29 Apr 2025 01:25:45 -0700 


Am 28.04.2025 um 23:46 schrieb Klemens Nanni:

As per the manual, it is subject to `chroot` and used only by
`client-connect` and `plugin`.

Without additional code being run and `chroot /var/empty/` (amongst
`user`, `persist-*`, etc.) set to reduce run-time privileges as much as
possible, the default temporary is still required upon start:

Options error: Temporary directory (--tmp-dir) fails with '/var/empty///tmp': 
No such file or directory (errno=2)

`tmp-dir /` works around this, but should not be needed.

In this setup, client and server have no create/write filesystem access
at all after privilege drop;  with this fix, ktrace(1) (on OpenBSD)
shows no namei(9) lookup being made at runtime (after `chroot`):

        # ktrace -d -i -tn ./openvpn --config ./conf --tmp-dir /nonexistent/
        ...^C
        # kdump | grep -q -e/tmp -e/nonexistent ; echo $?
---
  src/openvpn/options.c | 13 +++++++++++--
  1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 96119c48..effa8d0f 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -4149,8 +4149,17 @@ options_postprocess_filechecks(struct options *options)
      /* ** Config related ** */
      errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, 
options->client_config_dir,
                                       R_OK|X_OK, "--client-config-dir");
-    errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, 
options->tmp_dir,
-                                     R_OK|W_OK|X_OK, "Temporary directory 
(--tmp-dir)");
+
+    msg(M_WARN|M_NOPREFIX, "tmp_dir = '%s'", options->tmp_dir);
+    if (options->client_connect_script
+#ifdef ENABLE_PLUGIN
+        || options->plugin_list
+#endif /* ENABLE_PLUGIN */
+       )
+    {
+        errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, 
options->tmp_dir,
+                                         R_OK|W_OK|X_OK, "Temporary directory 
(--tmp-dir)");
+    }
There are more instances where the tmp dir is used. Just to name one of the top of my head is tls-crypt-v2-verify. I wonder if the benefit herre is big enough. As you said, even in your ro scenario it can be workarounded with specifying an existing directory. 

Arne

_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel






















					Reply via email to