On 10/12/16 12:57, Christian Hesse wrote: > SviMik <[email protected]> on Sat, 2016/12/10 06:06: >>> You can break this with something like: >>> >>> status /etc/openvpn/client/status.log >>> >>> in your configuration. Writing a status file >>> to /run/openvpn-{client,server}/status.log works, though. So the default >>> setups should be fine. Do we have any more cases where openvpn wants write >>> access for whatever? >> >> From my configuration: >> 1) status > > That is fine if it is written to /run/openvpn-{client,server}/. It breaks > with the status file in /etc/openvpn/{client,server}/ or example.
FWIW, the default SELinux policies actually denies any openvpn_exec_t
process to write to /etc ... I believe that is independent of Linux
distros, as long as SELinux have been enabled and the system is Enforced
mode.
>> 2) ifconfig-pool-persist
>
> That is a problem... As the name suggests this should be persistent. :-/
Same SELinux issue here too. IIRC, these files needs to be located
under /var/lib/openvpn or /var/run/openvpn. But I do see there is one
exception ... /etc/openvpn/ipp\.txt will be labelled openvpn_etc_rw_t,
which is OpenVPN is allowed to write to.
>> 3) tmp-dir (for storing openvpn_pf_*.tmp files)
>
> Never used this. What is it for?
> Anyway, I think this is not persistent stuff? Writing to /tmp/
> or /run/openvpn-{client,server}/ should be fine.
The openvpn_pf_*.tmp files are just one thing. If you use
--auth-user-pass-verify script hooks or perhaps even --plugin for
authentication, other temp files are generated in the default tmp-dir.
See commit 4e1cc5f6dda22e9ff12 for more info.
>> 4) client-connect script may want to write something
>
> My scripts do some configuration and dbus-stuff, but do not write anything...
> Writing to read-only path would fail, of course.
Again, SELinux can again block this already ... unless you write in the
properly labelled directories for OpenVPN.
>> 5) a plugin may want to write something
>
> Same here... /run/ and /tmp/ is fine, other paths fail.
The same as 4)
>> For me even the read-only option will break nearly *everything*. And for
>> user it will be completely not obvious why his scripts doesn't work, why
>> his status file is not updated, and what's wrong with ifconfig-pool-persist.
>
> Well, the error message should include something like: "cannot open file
> 'file': Read-only file system".
>
> But this is more problematic than I thought initially.
If we have some directories which complies with the SELinux policies in
regards to read/write privileges, we should be fine. And restricting
which directories OpenVPN can write to is quite sane. All those plenty
of blogs putting runtime status files into /etc/openvpn have
misunderstood quite some of the concept of the Unix file system layout.
--
kind regards,
David Sommerseth
OpenVPN Technologies, Inc
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today.http://sdm.link/xeonphi
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
