On 10/12/16 12:57, Christian Hesse wrote:
> SviMik <svi...@mail.ru> on Sat, 2016/12/10 06:06:
>>> You can break this with something like:
>>> status /etc/openvpn/client/status.log
>>> in your configuration. Writing a status file
>>> to /run/openvpn-{client,server}/status.log works, though. So the default
>>> setups should be fine. Do we have any more cases where openvpn wants write
>>> access for whatever?  
>> From my configuration:
>> 1) status
> That is fine if it is written to /run/openvpn-{client,server}/. It breaks
> with the status file in /etc/openvpn/{client,server}/ or example.

FWIW, the default SELinux policies actually denies any openvpn_exec_t
process to write to /etc ... I believe that is independent of Linux
distros, as long as SELinux have been enabled and the system is Enforced

>> 2) ifconfig-pool-persist
> That is a problem... As the name suggests this should be persistent. :-/

Same SELinux issue here too.  IIRC, these files needs to be located
under /var/lib/openvpn or /var/run/openvpn.  But I do see there is one
exception ... /etc/openvpn/ipp\.txt will be labelled openvpn_etc_rw_t,
which is OpenVPN is allowed to write to.

>> 3) tmp-dir (for storing openvpn_pf_*.tmp files)
> Never used this. What is it for?
> Anyway, I think this is not persistent stuff? Writing to /tmp/
> or /run/openvpn-{client,server}/ should be fine.

The openvpn_pf_*.tmp files are just one thing.  If you use
--auth-user-pass-verify script hooks or perhaps even --plugin for
authentication, other temp files are generated in the default tmp-dir.
See commit 4e1cc5f6dda22e9ff12 for more info.

>> 4) client-connect script may want to write something
> My scripts do some configuration and dbus-stuff, but do not write anything...
> Writing to read-only path would fail, of course.

Again, SELinux can again block this already ... unless you write in the
properly labelled directories for OpenVPN.

>> 5) a plugin may want to write something
> Same here... /run/ and /tmp/ is fine, other paths fail.

The same as 4)

>> For me even the read-only option will break nearly *everything*. And for
>> user it will be completely not obvious why his scripts doesn't work, why
>> his status file is not updated, and what's wrong with ifconfig-pool-persist.
> Well, the error message should include something like: "cannot open file
> 'file': Read-only file system".
> But this is more problematic than I thought initially.

If we have some directories which complies with the SELinux policies in
regards to read/write privileges, we should be fine.  And restricting
which directories OpenVPN can write to is quite sane.  All those plenty
of blogs putting runtime status files into /etc/openvpn have
misunderstood quite some of the concept of the Unix file system layout.

kind regards,

David Sommerseth
OpenVPN Technologies, Inc

Attachment: signature.asc
Description: OpenPGP digital signature

Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi
Openvpn-devel mailing list

Reply via email to