ACK Sorry it took so long. Patch looks good, and works as expected for me.
-Steffan On 02-05-14 02:28, David Sommerseth wrote: > OpenVPN will do some simple sanity checking at startup to ensure the expected > files and directories is in place. However, with --client-config-dir and > --ccd-exclusive, things are slightly different. In both cases it is perfectly > fine that files does not exists, and we cannot know any file names beforehand > due to these filenames being based upon the certificate's CN field. > > The problem arises when OpenVPN cannot open files inside a directory because > the directory permissions are too restrictive, have wrong ownership (triggered > by the usage of --user/--group) or other security mechanisms the OS uses. > > When a client connects, the test_file() function is used to check if a client > config file has been prepared. And if not, it continues without trying to > read > it. So, if the privileges of the running OpenVPN process is not allowed to > open and read an existing file, OpenVPN will treat this as a non-existing file > without saying anything. This is clearly wrong. So this patch adds an > warning > message in the OpenVPN log if it could not open the file due to lack of > permissions. > > This will work fine on all *nix based OSes. Windows however reports 'no such > file or directory' (errno=2/-ENOENT) even on privilege access errors when the > directory this file resides is too restrictive. But there is no easy way to > work around that. However, I believe that the initial sanity checking at > startup will catch that one, as it will check if the directories it needs > exists. > > This patch has only gone through simple basic testing, with both too few > privileges and with proper privileges to the CCD directory. With wrong > privileges, the following error can be found if CN=Test client > > Fri May 2 00:00:10 2014 us=281993 127.0.0.1:41017 Could not access file > '/etc/clients/Test client': Permission denied (errno=13) > > [v2 - use openvpn_errno() instead of errno, for better platform support] > > Trac: #277 > Trac-URL: https://community.openvpn.net/openvpn/ticket/277 > Signed-off-by: David Sommerseth <d...@users.sourceforge.net> > --- > src/openvpn/misc.c | 6 ++++++ > 1 files changed, 6 insertions(+), 0 deletions(-) > > diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c > index 7483184..63b4c1c 100644 > --- a/src/openvpn/misc.c > +++ b/src/openvpn/misc.c > @@ -861,6 +861,12 @@ test_file (const char *filename) > fclose (fp); > ret = true; > } > + else > + { > + if( openvpn_errno () == EACCES ) { > + msg( M_WARN | M_ERRNO, "Could not access file '%s'", filename); > + } > + } > } > > dmsg (D_TEST_FILE, "TEST FILE '%s' [%d]", >
