Re: [Openvpn-users] no group nobody: an issue?

Thu, 04 Jun 2015 19:38:18 -0700 

JJK hi--


On 06/04/2015 10:58 AM, Jan Just Keijser wrote:

Hi,

Douglas D Germann Sr wrote:
I have a Synology ds213j which since a recent update will not recognize the line in the server.conf that reads group nobody.
If I comment out that line, it runs OK. (It still has the user nobody line, uncommented.)
I have tried changing it to group nogroup and that does not help. In /etc/group there is a group nobody. 

Is this a security issue? If so, any suggested fixes?



this is not a security issue. what is shown in the log file when you add
 group nobody
to the config? it *might* be that the synology folks removed support for this from openvpn, but then they must have patched the code... 

JJK
After removing the # ahead of user nobody in the server.conf file, the gui to restart the openvpn server reports: "Failed to enable OpenVPN. Please check the configuration file." The log file shows:
Thu Jun 4 22:23:11 2015 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1195 
Thu Jun  4 22:23:11 2015 MANAGEMENT: CMD 'exit'
Thu Jun  4 22:23:11 2015 MANAGEMENT: Client disconnected
Thu Jun  4 22:23:11 2015 event_wait : Interrupted system call (code=4)
Thu Jun  4 22:23:11 2015 /sbin/route del -net 10.8.1.0 netmask 255.255.255.0
route: SIOCDELRT: Operation not permitted
Thu Jun 4 22:23:11 2015 ERROR: Linux route delete command failed: external program exited with error status: 1 
Thu Jun  4 22:23:11 2015 Closing TUN/TAP interface
Thu Jun  4 22:23:11 2015 /sbin/ifconfig tun0 0.0.0.0
ifconfig: SIOCSIFADDR: Permission denied
Thu Jun 4 22:23:11 2015 Linux ip addr del failed: external program exited with error status: 1 
Thu Jun  4 22:23:13 2015 SIGTERM[hard,] received, process exiting
Thu Jun 4 22:23:44 2015 OpenVPN 2.3.6 armle-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Apr 29 2015 Thu Jun 4 22:23:44 2015 library versions: OpenSSL 1.0.1m-fips 19 Mar 2015, LZO 2.08 Thu Jun 4 22:23:44 2015 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1195 Thu Jun 4 22:23:44 2015 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet. 
Thu Jun  4 22:23:45 2015 Diffie-Hellman initialized with 4096 bit key
Thu Jun 4 22:23:45 2015 WARNING: file 'ta.key' is group or others accessible Thu Jun 4 22:23:45 2015 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file Thu Jun 4 22:23:45 2015 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Jun 4 22:23:45 2015 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Jun 4 22:23:45 2015 Socket Buffers: R=[163840->131072] S=[163840->131072] Thu Jun 4 22:23:45 2015 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=eth0 HWADDR=00:11:32:2c:66:66 
Thu Jun  4 22:23:45 2015 TUN/TAP device tun0 opened
Thu Jun  4 22:23:45 2015 TUN/TAP TX queue length set to 100
Thu Jun 4 22:23:45 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Thu Jun 4 22:23:45 2015 /sbin/ifconfig tun0 10.8.1.1 pointopoint 10.8.1.2 mtu 1500 Thu Jun 4 22:23:45 2015 /sbin/route add -net 10.8.1.0 netmask 255.255.255.0 gw 10.8.1.2 Thu Jun 4 22:23:45 2015 setgid('nobody') failed: Operation not permitted (errno=1) 
Thu Jun  4 22:23:45 2015 Exiting due to fatal error
Thu Jun  4 22:23:45 2015 /sbin/route del -net 10.8.1.0 netmask 255.255.255.0
Thu Jun  4 22:23:45 2015 Closing TUN/TAP interface
Thu Jun  4 22:23:45 2015 /sbin/ifconfig tun0 0.0.0.0
mariah>

I see the line that said setgid for nobody failed.

Route shows only two eth0 Ifaces.

Then when I comment out the group nobody I get:
Thu Jun 4 22:30:04 2015 OpenVPN 2.3.6 armle-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Apr 29 2015 Thu Jun 4 22:30:04 2015 library versions: OpenSSL 1.0.1m-fips 19 Mar 2015, LZO 2.08 Thu Jun 4 22:30:04 2015 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1195 Thu Jun 4 22:30:04 2015 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet. 
Thu Jun  4 22:30:05 2015 Diffie-Hellman initialized with 4096 bit key
Thu Jun 4 22:30:05 2015 WARNING: file 'ta.key' is group or others accessible Thu Jun 4 22:30:05 2015 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file Thu Jun 4 22:30:05 2015 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Jun 4 22:30:05 2015 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Jun 4 22:30:05 2015 Socket Buffers: R=[163840->131072] S=[163840->131072] Thu Jun 4 22:30:05 2015 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=eth0 HWADDR=00:11:32:2c:66:66 
Thu Jun  4 22:30:05 2015 TUN/TAP device tun0 opened
Thu Jun  4 22:30:05 2015 TUN/TAP TX queue length set to 100
Thu Jun 4 22:30:05 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Thu Jun 4 22:30:05 2015 /sbin/ifconfig tun0 10.8.1.1 pointopoint 10.8.1.2 mtu 1500 Thu Jun 4 22:30:05 2015 /sbin/route add -net 10.8.1.0 netmask 255.255.255.0 gw 10.8.1.2 
Thu Jun  4 22:30:05 2015 UID set to nobody
Thu Jun  4 22:30:05 2015 UDPv6 link local (bound): [undef]
Thu Jun  4 22:30:05 2015 UDPv6 link remote: [undef]
Thu Jun  4 22:30:05 2015 MULTI: multi_init called, r=256 v=256
Thu Jun  4 22:30:05 2015 IFCONFIG POOL: base=10.8.1.4 size=62, ipv6=0
Thu Jun 4 22:30:05 2015 ifconfig_pool_read(), in='fire,10.8.1.4', TODO: IPv6 
Thu Jun  4 22:30:05 2015 succeeded -> ifconfig_pool_set()
Thu Jun  4 22:30:05 2015 ifconfig_pool_read(), in='air,10.8.1.8', TODO: IPv6
Thu Jun  4 22:30:05 2015 succeeded -> ifconfig_pool_set()
Thu Jun 4 22:30:05 2015 ifconfig_pool_read(), in='wind,10.8.1.12', TODO: IPv6 
Thu Jun  4 22:30:05 2015 succeeded -> ifconfig_pool_set()
Thu Jun 4 22:30:05 2015 ifconfig_pool_read(), in='svs2,10.8.1.16', TODO: IPv6 
Thu Jun  4 22:30:05 2015 succeeded -> ifconfig_pool_set()
Thu Jun 4 22:30:05 2015 ifconfig_pool_read(), in='air3,10.8.1.20', TODO: IPv6 
Thu Jun  4 22:30:05 2015 succeeded -> ifconfig_pool_set()
Thu Jun  4 22:30:05 2015 IFCONFIG POOL LIST
Thu Jun  4 22:30:05 2015 fire,10.8.1.4
Thu Jun  4 22:30:05 2015 air,10.8.1.8
Thu Jun  4 22:30:05 2015 wind,10.8.1.12
Thu Jun  4 22:30:05 2015 svs2,10.8.1.16
Thu Jun  4 22:30:05 2015 air3,10.8.1.20
Thu Jun  4 22:30:05 2015 Initialization Sequence Completed
mariah>

JJK, see anything there that is a worry?

Thanks!

:- Doug.


------------------------------------------------------------------------------

_______________________________________________
Openvpn-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to