OpenVPN will do some simple sanity checking at startup to ensure the expected files and directories is in place. However, with --client-config-dir and --ccd-exclusive, things are slightly different. In both cases it is perfectly fine that files does not exists, and we cannot know any file names beforehand due to these filenames being based upon the certificate's CN field.
The problem arises when OpenVPN cannot open files inside a directory because the directory permissions are too restrictive, have wrong ownership (triggered by the usage of --user/--group) or other security mechanisms the OS uses. When a client connects, the test_file() function is used to check if a client config file has been prepared. And if not, it continues without trying to read it. So, if the privileges of the running OpenVPN process is not allowed to open and read an existing file, OpenVPN will treat this as a non-existing file without saying anything. This is clearly wrong. So this patch adds an warning message in the OpenVPN log if it could not open the file due to lack of permissions. This will work fine on all *nix based OSes. Windows however reports 'no such file or directory' (errno=2/-ENOENT) even on privilege access errors when the directory this file resides is too restrictive. But there is no easy way to work around that. However, I believe that the initial sanity checking at startup will catch that one, as it will check if the directories it needs exists. This patch has only gone through simple basic testing, with both too few privileges and with proper privileges to the CCD directory. With wrong privileges, the following error can be found if CN=Test client Fri May 2 00:00:10 2014 us=281993 127.0.0.1:41017 Could not access file '/etc/clients/Test client': Permission denied (errno=13) [v2 - use openvpn_errno() instead of errno, for better platform support] Trac: #277 Trac-URL: https://community.openvpn.net/openvpn/ticket/277 Signed-off-by: David Sommerseth <d...@users.sourceforge.net> --- src/openvpn/misc.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c index 7483184..63b4c1c 100644 --- a/src/openvpn/misc.c +++ b/src/openvpn/misc.c @@ -861,6 +861,12 @@ test_file (const char *filename) fclose (fp); ret = true; } + else + { + if( openvpn_errno () == EACCES ) { + msg( M_WARN | M_ERRNO, "Could not access file '%s'", filename); + } + } } dmsg (D_TEST_FILE, "TEST FILE '%s' [%d]", -- 1.7.1
